"Prices ranged in price from $.10 $.15 per verification for bulk orders of 100,000 verifications, and $.25 per verification for smaller orders," the researchers add, showing a clear business plan by the merchants to move as many high-value accounts as possible in a single order.
To keep many of the accounts sold from being flagged instantly, the researchers explained that most of them are pre-aged, allowing them to avoid heuristics that disable new accounts based on weak, early signs of misbehavior. This also helps the accounts last, as older accounts must meet a much higher threshold before being nixed due to potential malicious actions.
When orders were placed for accounts, the researchers noted that many of the merchants delivered 70 percent of the promised volume within a day, and 90 percent within three days, showing a solid turnaround.
"Web services that rely on automation barriers must strike a tenuous balance between promoting user growth and preventing the proliferation of fraudulent accounts and spam behavior," the paper concludes.
"While we draw many of our observations from the Twitter account abuse problem, we believe our recommendations should generalize across web services."
One of the offered recommendations includes making fraudulent account operations more expensive to operate. One way is to focus on email verification, which raises the cost of the Twitter operation by 56 percent. After that, CAPTCHAs are another source of frustration.
"In our experience, when required, CAPTCHAs prevent merchants from registering 92% of fraudulent accounts. Services could also leverage this failure rate as a signal for blacklisting an IP address in real-time, cutting into the number of accounts merchants can register from a single IP," the researchers observed.
The paper also outlined several other recommendations, including a pattern recognition framework, which is what helped the researchers (and Twitter) retroactively identify millions of fraudulent accounts as previously mentioned.
Sign up for CIO Asia eNewsletters.