Account Farming

What Is Account Farming?

Account farming is the practice of creating and maintaining multiple accounts with the same online service. Often this is for the purpose of committing fraudulent acts, both large and small.

These range from practices such as signup bonus abuse in iGaming, to hijacking online wallets as well as full-scale identity theft.

A technique that’s popular with fraudsters and cybercriminals who wish to build up – and abuse – a bank of online accounts, account farming can involve any type of online account. It’s particularly prevalent with:

• web-based email services, such as Gmail and Hotmail
• social media accounts
• online advertising accounts, such as Google Ads
• casino and gambling sites
• any other sites that offer sign-up bonuses, such as online survey sites

The process of account farming can be a manual one. This involves people taking the time to sign up and use services multiple times – often using VPN providers and public Wi-Fi networks to make their location varied – as well as technical trickery to bypass CAPTCHA systems and other security measures.

There are also software tools available to automate aspects of the process, such as programs that simulate online activity to make an online account appear genuine.

Cybercriminals can used farmed accounts to scale up their fraudulent operations. As well as farming accounts themselves, they may opt to purchase accounts farmed by a third party. This in itself is a low-level fraudulent enterprise.

How Does Account Farming Work?

The objective of account farming is to generate a farm of active online accounts. These can either be used at scale or cycled through as they become detected and banned.

Here’s a step-by-step example of how it can work:

1. A fraudster signs up for an online account with an email service provider.
2. They clear their browser cookies, connect via a VPN, and create another account using different details.
3. They repeat the above process using multiple VPN server addresses.
4. They can then expand on the process by using public Wi-Fi networks and connecting from alternate locations.
5. If additional details are required by the provider, such as a phone number, they use throwaway virtual numbers and third-party services to remain undetected.
6. In order to ensure the accounts appear legitimate, they use them as a legitimate user would. For example, they send and receive emails, sign up to other services (such as social networks), and perform web searches whilst logged on to each account.

As is clear from the above, manual account farming is a time-consuming process. As such, professional hackers will often use tools and automation for some or all parts of the process.

For example, a tool widely discussed on online forums includes an activity generator that creates activity on accounts to improve their trust and success. This is a key part of account farming, and it’s as important as creating the accounts themselves.

Why Are Accounts Farmed? 

The endgame of farming online accounts is to have a bank of active and trusted online accounts that can be used for both financial and fraudulent gain.

With multiple accounts, a hacker could:

• sign up to a site that gives away samples or sign-up bonuses many times over
• gain indefinite access to expensive software that comes with a time-limited trial – by switching from one account to another as each trial expires
• falsely boost a company’s reputation by leaving positive online reviews from multiple accounts – which increases the urgency of methods to spot fake reviews and flag them for deletion
• apply for loans and financial products using multiple identities
• sign up for government services and benefits using multiple accounts

Real-life examples of fraud related to account farming include people applying for unemployment benefits multiple times, filing fraudulent tax returns, and submitting fraudulent credit card applications.

Examples of Account Farming

Here are a couple of specific examples of account farming:

Farming Gmail Accounts

Farming Gmail accounts is particularly popular among hackers, as active accounts can act as a gateway into many other online services. While Gmail users typically have an average of 1.7 accounts each (generally due to having separate business and personal accounts), hackers aim to source many more than that.

The steps are broadly as described above, with particular emphasis on using each account so that it appears legitimate. A Gmail reputation score is reportedly linked to each account, and accounts with a poor reputation are said to be subject to additional identity checking methods and CAPTCHA prompts.

Farming Online Advertising Accounts

Online advertising accounts such as on Facebook, Google Ads, and LinkedIn are often the eventual target of those performing account farming. In fact, some people farming Gmail accounts do so for the specific purpose of creating multiple advertising accounts with those online identities.

There are various reasons to farm advertising accounts, such as:

• Online services often offer free ads to new advertising customers. By using multiple accounts, hackers can advertise for free, then move on to the next account without ever paying.
• Fraudsters with a farm of accounts can freely break terms of service, doing things such as spamming out ads containing affiliate links. When one account is caught and banned, they simply move on to the next.
• If an account comes with a spending limit, these can be bypassed by using multiple accounts.

Why Is Account Farming Dangerous?

Account farming is dangerous for two main reasons:

• It exposes companies to financial loss. This can be due to anything from the simple abuse of promotions to more sophisticated financial fraud.
• It creates significant online noise. Companies that are the target of account farming have to dedicate resources both to detecting the farmed accounts and to providing their service to those juggling hundreds or thousands of logins.

How to Protect Against Account Farming

The best way to protect against account farming is to introduce fraud prevention with multiple layers of protection. The goal should not necessarily be to verify the identity of those signing up to online services but rather gauge who appears to be legitimate and who not, and ultimately to flag up attempted abuse.

Methods and technologies employed include the following:

• Digital footprint analysis can tell us more about who an email address really belongs to and what their intentions are, because it enriches email addresses with information from across the internet. Creating a farmed email account is the easy part, but simulating the online presence – the digital footprint – of a genuine human user is not just harder but not cost-efficient for criminals. Thus OSINT digital footprinting tools can, for example, reveal if an email address has not been used to register on social media, not been seen in data leaks and so on. This would make it highly likely to be a farmed account.
• Browser fingerprinting can help to detect if the same person is trying to create multiple accounts, even if they’re changing their physical location and IP address or using a VPN.
• Velocity checks will compare data points such as the above in the context of time. For example, a series of accounts being created with the exact same password is highly suspicious. Perhaps someone is setting up an account farm? Of course, the prevention software would not be comparing users’ actual passwords but anonymized password hashes.
• Similarly, running phone number lookups can flag up throwaway phone numbers or users in an unexpected location.

Any business that operates online – especially those offering financial services, free gifts, trials, or signup bonuses – can reasonably assume that they’ll become the target of account farming.

Thankfully, techniques do exist to assist in identifying when attempts are made to abuse multiple farmed accounts.

Related Terms

Related Articles

Sources