30 Days of IT Compliance Q&A #5: How Can I Detect Abuse of Free Trial Downloads of My Product?

Last week’s RSA 2014 show provided a great line-up of content. One of my favorite talks was by Oscar Salazar and Rob Ragan from Bishop Fox called “Cloud Ninja: Catch Me If You Can!”

The abstract read: What happens when computer criminals start using friendly cloud services such as Dropbox, Google Apps, Heroku, Amazon EC2 and Yahoo Pipes for malicious activities? This presentation will explore how to (ab)use the free public cloud for the business of computer crime. Oh! Also we violate the hell out of some terms of service. “

Many companies now offer a free trial version of their product that is hosted in the cloud. While this is great from a marketing and sales standpoint, it does pose challenges to the IT department. If you are providing a cloud-based free trial, how do you detect or prevent the criminal or the freeloader who is using or abusing your service for their own gains?

Here are some of the common techniques to prevent fake, freeloading or fraudulent accounts:

• Analyze properties of Sybil accounts (use of social network accounts for authentication or verification)
• Analyze the arrival rate and distribution of accounts
• Flag accounts registered with emails from newly registered domain names
• Email verification
• CAPTCHAs
• IP Blacklisting
• Phone/SMS verification
• Automatic pattern recognition

Advanced techniques need to look at information about the browser creating the account and behaviors of accounts after they are enabled.

• Signup flow events
- Detect common activities after signup
• User-agent
• A registration bot may generate a different user-agent for each signup or use uncommon user-agent
• Form submission timing
• A bot that doesn’t mimic human behavior by performing certain actions too quickly can be detected

This may look like a comprehensive list … but most of these methods can be circumvented by use of temporary accounts or services. Once these accounts have the met service provider’s verification processes they begin to cost you real money.

 You’ll need to use more advanced methods to detect the fraudulent or freeloading accounts sucking up your finite resources (CPU, disk, memory, bandwidth, power, cooling) so that you are not using capacity that is really not needed.

 Prevention, detection, and remediation can be achieved by examining the following:

• Performance metrics on the virtual systems … if the CPU or interface is always running at 100% might indicate suspicious use.
• Flow analysis on how these systems are communicating to external system … are all of the virtual systems communicating to a particular external IP?This could be evidence of a DDOS attack.
• Examine the MX records of the accounts that are used to setup the environments … if many domains MX records all point to the same mail server that can indicate a problem.
• A majority of the MX records all being hosted on the same DNS server.
• A lot of MX records all being hosted on DDNS servers.
• Use of DDNS domain names.
• Frequency and speed of the account creations. … if total amount of accounts created in x number of minutes exceeds a particular amount.
• Source IP addresses where these accounts are created match bad watch lists.
• Geographic location of where the user who creates the accounts resides is in a country where you do not do business.
• Comparing the source IP addresses of SSH or remote access to the virtual systems that are being hosted. to the source IP addresses of the IP addresses that were used to create the accounts.

AccelOps helps companies prevent and detect trial fraud and abuse using by using the techniques above. To learn how we can help your company, contact us today.