- Financial Gain: Involves creating fraudulent accounts to achieve objectives like making false claims (for example, signing up for an online insurance account solely to file a fraudulent claim) or to exploit new customer benefits and incentives. Massive account creation is also a first step in launching an SMS pumping attack.
- Account Aging: Attackers may create a large number of accounts and allow them to age over time, making them appear more legitimate for future, more sophisticated attacks.
- Service Disruption: High-volume signup attempts can overwhelm an organization’s systems, potentially leading to denial-of-service by exceeding global rate limits and hindering legitimate users’ ability to access services.
- Username Enumeration (T1087): Attackers may rapidly attempt to sign up for a large number of accounts to determine if specific usernames already exist within a system. Attackers can use this information for targeted attacks like credential stuffing or phishing.
Detect signup attacks
Regardless of an attacker’s objective, signup attacks leave a trail of specific log events that are crucial for detection and analysis. Use Security Center to monitor potential attacks against your tenant. You can use the Auth0 open source library of detection rules to build and contribute your own detection rules, for example, the rules for signup fraud by suspicious domains and signup fraud by high volumes. Key indicators include log event types such asfs, ss, and signup_pwd_leak in Auth0 tenant logs. During the reconnaissance phase, you might observe repeated HTTP POST requests targeting your tenant’s Signup endpoint. This activity often signals an attacker’s initial attempts to probe your system for vulnerabilities or to test the efficacy of their automated signup processes.
For advanced analysis or to correlate login activities with applications outside Auth0, enable log streaming to the log streaming service of your choice.
Mitigation strategies
To mitigate signup attacks, we recommend combining proactive measures with real-time detection and response in a multi-layered approach. Review the following strategies to protect your system:- Suspicious IP Throttling: Implement aggressive signup thresholds for suspicious IP addresses to prevent high-volume signup attempts from a single source.
- Bot Detection: Employ robust bot detection mechanisms to identify and block automated signup attempts by enabling Auth0’s Bot Detection and configuring your bot detection level to High.
- Aggressive CAPTCHA requirements: For a more aggressive response at the cost of higher friction, configure CAPTCHA to be always presented during the signup process. While this introduces a slight inconvenience for legitimate users, it can hinder bot activity.
- Passwordless authentication: Use passwordless authentication methods. This forces attackers to maintain persistent access to the primary identifier (for example, email or phone number) used during signup, making it more difficult to create and control numerous fraudulent accounts.
- Improved authentication factors: Use WebAuthn as an authentication factor to provide phishing resistance and stop attacker objectives like SMS pumping fraud entirely.
- Tenant Access Control List (ACL): Configure Tenant ACLs to block malicious traffic.
- Pre-user Registration Triggers: Use pre-user registration triggers to enforce identity proofing measures. This could involve simple steps like requiring email validation before account activation or more complex verification processes depending on your risk profile.
- Force verification on signup: Configure email verification on signup to require users to verify their emails before signin, ideally through a one-time password (OTP).
- Web Application Firewall (WAF) rules: If you are using a custom domain behind a reverse proxy, configure WAF rules to block known malicious IP ranges, detect suspicious request patterns, and mitigate common attack vectors targeting your Signup endpoint.
- Disable Signup (most extreme): In severe or persistent attack scenarios, or for applications in which user self-registration is not essential, the most extreme measure is to temporarily or permanently disable new user signup.
- Delete or block fraudulent accounts: After identifying fraudulent accounts, you can use Auth0’s to delete or block fraudulent accounts. For bulk operations, be mindful of Management API rate limits and contact support if there is a risk of exceeding your rate limit.