Fraudulent signups are a persistent and growing threat for businesses across industries, leading to account takeover attempts, spam, abuse of free trials, and ultimately, significant financial losses and reputational damage. As the digital landscape evolves, so do the tactics of fraudsters, making robust detection mechanisms more critical than ever.
Auth0 offers a variety of preventive capabilities to stop fraudsters at the gate:
- Passwordless authentication including social logins and passkeys.
- Auth0 Actions to create custom logic for registration and login validation.
- Bot detection and other Attack protection features help to protect from a variety of scripted attacks.
- The Auth0 Security Center with of out-of-the-box dashboards and configurable thresholds, providing detective capabilities as well.
In this post, we'll focus on additional detective capabilities for your Auth0 environments leveraging available detections in the Auth0 Customer Detection Catalog.
How do you detect fraudulent signups once they're underway or have already occurred?
There are several indicators you can look at to spot suspicious activity. Leveraging Log streaming and identifying patterns, you can proactively identify fraudulent accounts and take action.
Let's look at three detection strategies, backed up by ready-to-use detection rules, which provide valuable insights into potential signup fraud.
Common signup fraud indicators
1. High volume of signup activities
Detection rule: detections/risk_of_signup_fraud_by_volume.yml
Imagine a sudden surge of new accounts originating from a set of IP addresses. This detection identifies potential signup fraud by monitoring surge in a number of registration, excessive failed signups, or signup attempts using breached passwords.
While a legitimate marketing campaign might explain some spikes, an unusually high volume often indicates automated bot activity or a concentrated attack. The value here is in identifying large-scale, automated fraud attempts, such as bots creating accounts for spamming, credential stuffing, or other malicious purposes. Catching these early can prevent a flood of threat actors from infiltrating your user base.
2. Signups using disposable email domains
Detection rule: detections/risk_of_signup_fraud_by_disposable_domains.yml
Disposable email addresses (like those from services such as Mailinator or TempMail) are a red flag for a reason. Users typically employ them to avoid providing legitimate contact information, often for one-time access, to bypass email verification, or to sign up for multiple accounts without leaving a trace. Fraudsters frequently use these domains to create throwaway accounts for abusive activities, or free trial abuse.
This detection is crucial for identifying accounts created with the intent to obscure identity or for short-term malicious use. By flagging these domains, you can challenge the signup or prevent it entirely, preserving the integrity of your user data.
3. Many unverified accounts created
Detection rule: detections/many_unverified_accounts_created.yml
Email verification is a standard security measure designed to ensure that new accounts are linked to a legitimate, accessible email address. When a large number of accounts are created but remain unverified, it suggests that the email addresses used might be fake, invalid, or controlled by an attacker who does not intend to complete the verification step. This can be a strong indicator of bot-generated accounts or an attempt to overwhelm your system with junk data.
This detection highlights potential botnets or sophisticated fraud schemes where accounts are created in bulk without the intention of being activated or used legitimately. Identifying these unverified accounts helps you clean up your user database and focus on engaging with genuine users.
Putting detections into practice
The value of these detections lies in their direct applicability to your security operations. Our detection YAML specifications are designed to be flexible and usable with a variety of security tools.
Sigma compatibility
Each detection is Sigma compatible, allowing you to convert the logic into a query for the security information and event management (SIEM) tool of your choice. This provides a unified standard for rule creation.
For example, to convert the many_unverified_accounts_created.yml detection into a Splunk query using the sigma-cli:
sigma convert \ --target splunk \ --pipeline splunk_windows \ detections/many_unverified_accounts_created.yml
This command will output a Splunk query that can be used directly in your environment.
Auth0 and Splunk queries
Each detection file is also annotated with a direct Lucene query that works natively within the Auth0 Dashboard. While useful for quick, exploratory purposes, these queries can sometimes lack the expressiveness needed for more complex analysis.
For more granular detection, each file also includes an annotated Splunk query. This query provides a more detailed approach and often includes commented-out lines with useful extensions.
For example, the Splunk query for the unverified accounts detection is structured to provide a wealth of information:
index=auth0 data.tenant_name="{your-tenant-name}" data.type IN (ss sv) | fields data.user_name, data.type, data.user_id ``` Calculations ``` | eval elapsed_time = (now() - _time) / 60 | rex field=data.user_name ".+@(?<user_domain>.*)" | stats values(data.type) as event_types, count(data.type) as cnt_events_per_user, min(elapsed_time) as min_elapsed_time by data.user_name data.user_id user_domain ``` Filtering for users who has not completed email verification within a specified time window, i.e. we see just one event (ss) ``` | where cnt_events_per_user = 1 and min_elapsed_time > {threshold_not_verified_within_X_min} ``` Display information about unverified users``` | table data.user_id, data.user_name, user_domain, event_types, min_elapsed_time ``` Option 1 - Alert when a number of created unverified users exceeds a threshold``` ```| stats count(data.user_id) as unverified_user_cnt | where unverified_user_cnt > {threshold_indicating_surge_of_unverified_users} ``` ``` Option 2 - Extend the detection to monitor high-volume unvalidated domains ``` ```| stats count as cnt_domain by user_domain` | where cnt_domain > {threshold_indicating_surge_of_email_domains} ```
The commented-out options (like Option 1 and Option 2) are powerful extensions explained in the detection's YAML file comments. By uncommenting them, you can easily pivot the detection to look for a surge of unverified users or a spike in specific unvalidated email domains. To use these effectively, we recommended to first run the query over a period of time to establish a baseline for your normal traffic and determine appropriate thresholds.
The future of fraud detection
The battle against fraudulent signups is ongoing, and effective detection is a continuous effort. These three detections are just the beginning. By focusing on robust detection, you can not only mitigate immediate threats but also gain valuable insights into the evolving tactics of fraudsters, ultimately enhancing your overall security posture.
The Auth0 Customer Detections library is an ever-growing resource, and we are committed to expanding the collection of indicators to help you stay ahead of fraudsters. We encourage you to explore the available detections and integrate them into your security strategy.
About the author
Maria Vasilevskaya
Principal Security Engineer