From assuming fake personas trying to impress people on social media to hiding behind the internet to anonymously vent out pent-up emotions, people hide their true identity on the internet for many reasons. As long as catfishing does no physical, emotional, or financial harm, it's acceptable. But when fraudsters begin taking advantage of catfishing, it can spell disaster.
Dating fraud, using social media accounts to sell stolen goods at heavily discounted rates, social engineering to dupe people into sharing their personal details are all dangerous forms of catfishing. At Arkose Labs, we encounter fraudsters every single day. We know their tactics and how they try to work their way around our enforcement challenges.
A Case in Point
There was this particular fraudster who tried several strategies including catfishing to bypass our challenges. He pretended to be a concerned developer trying to pitch a fraud-prevention solution to one of our customers, claiming our solution lacked the capabilities that his solution offered. He sent emails to this effect to our senior leadership as well as our customer. Later, he even re-appeared to participate in our BugBounty program, but was identified.
It all began with the fraudster signing up for the whitehat BugBounty program and submitting an issue that was verified as a vulnerability. At the same time, this fraudster managed to find a weakness that helped him build a solver for the simple custom images that we were using to help our customer fight online attacks.
Spotting the Fraud
Once the fraudster built the solver, he tested it and posted the results on a website that he was using to promote his solution. He also posted the test results on a number of hacker boards. We actively monitor numerous hacker boards as we often come across a lot of discussion about ways to beat our enforcement challenges. This is how we learned about these posts.
As the test volume of the fraudster's proclaimed solution increased, our telemetry—the dynamic risk engine—identified the traffic coming from his solution as inauthentic. The results showed telltales and we began applying pressure. Buoyed by the test results of his solution, however, the fraudster contacted our customer to inform that our challenges could be easily cleared and termed our solution ineffective. But, when the fraudster realized that we were monitoring and pressurizing, he took to the hacker boards and social media to proclaim he had found the crack to our challenges and that our telltaling abilities were limited. To corroborate his claims, he posted statistics of the test results.
These results posted publicly, however, provided us with confirmation that we were pressurizing the correct inauthentic traffic. This powered our telemetry to quickly catch up with the fraudster. When he realized that we were pressurizing the traffic, he resorted to manipulating the data and posted results only for those spurts of duration where he could bypass the pressure. He did not post data of the periods where he failed and was blocked—which was way higher than the times he could slip in.
Forcing the Fraudster to Give-up
The cat and mouse game between his manipulation and our pressurizing continued for some time. The telemetry then escalated the pressure and switched over from the custom images we had created for the customer, to the standard gray images and significantly harder forms of images. This forced the fraudster to spend more time and resources updating his solution, which reflected in the drastic drop in the number of posts on social media and hacker boards as well as the emails he was sending out to us and our customer. He could not find a way around this escalated pressure. As a result, the posts completely stopped and the website to promote the so-called solution was shutdown without any notification.
A few months later, the fraudster made a re-appearance on our BugBounty program trying to get paid for an issue that was already identified and closed. We quickly identified and blocked him.
If you have a similar experience to share, do let us know.