Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.

orange arrow

A Behind-the-Scenes Look at New Account Fraud

intro image

Written by Nicole Abramov


  • Fraudulent new account applications by cybercriminals and fraudsters have been surging for quite some time. Through identity theft or synthetic identities (combinations of fictitious and real information, such as name, SSN, and other PII to create new identities), threat actors are applying for new accounts at record levels.
  • This trend has partly been driven by the proliferation of compromised PII and financial account information circulating in the Dark Web, and by Pandemic Unemployment Assistance and SBA PPP fraud, which have been extremely popular during the COVID-19 pandemic.
  • These newly-registered accounts are used in a wide range of financial crimes, including but not limited to:
    • Stock manipulation
    • Money laundering
    • Unemployment fraud
    • SBA / PPP loan fraud
    • Money mules
    • Ad fraud
  • In this post, we take you “behind the scenes” to understand how threat actors create new accounts at scale. We profile a Russian cybercriminal gang that is dedicated to registering accounts across several countries and financial institutions on a massive scale of hundreds of new accounts per day.

BlackWidows Group

For purposes of this post, we named the group the “BlackWidows Group”. The group consists of approximately twenty Russian-speaking cybercriminals, who target financial institutions in the United States and Europe. In the United States alone, BlackWidows Group produces hundreds of new accounts per day.

BlackWidows Group newly-registered accounts by country over a 2-week period in Q2 2021
BlackWidows Group newly-registered accounts by country over a 2-week period in Q2 2021

The types of accounts opened can be split into three main categories: bank accounts, reloadable prepaid card accounts, and brokerage accounts.

Account Registration Process

The group is extremely efficient and has streamlined its process to perfection. All members adhere to the group’s techniques and procedures, operating as a well-oiled machine and filling daily quotas per country and per bank.

Compiling Identities

The process of registering new accounts begins by obtaining “fullz” – compromised PII (including full name, address, SSN, date of birth, and more) that is readily available for purchase in underground markets. The group compiles identities and related data to be used during the account registration.

Next, it is essential to set up an ‘anti-detect’ tool of choice, used to mask the cybercriminal’s identity and bypass anti-fraud measures. The group uses the popular “Indigo Browser”, which has several useful features such as browser fingerprint customization and integration with popular underground proxy providers.

Armed with a stolen identity, a BlackWidows Group member then configures a new “profile” on Indigo Browser and sets the IP address, time zone, language, and geolocation data to match those of the victim. Using an underground proxy provider, the cybercriminal selects a proxy server whose geolocation corresponds to the victim’s physical address

BlackWidows Group’s Indigo Browser 'profile' configuration
BlackWidows Group’s Indigo Browser “profile” configuration
BlackWidows Group using 911 (a popular proxy service in the Russian cybercriminal underground), choosing a proxy server based on the city provided in the victim’s PII
BlackWidows Group using 911 (a popular proxy service in the Russian cybercriminal underground), choosing a proxy server based on the city provided in the victim’s PII

With technical preparations out of the way, the group proceeds to retrieve the last bit of necessary information – the victim’s phone number. Using legitimate background check services, they search for previous phone numbers used by the victim. Such numbers may be used during the account registration process as they are more likely to pass certain identity verification tools.

The last step is straightforward - creating a new email account to match the victim's PII and to be used in account applications. BlackWidows Group seems to prefer Outlook and mail.com.

Registering Accounts

At this point, the group can begin self-registering accounts for the stolen identities. The group often uses the same victim PII for registration of accounts at multiple financial institutions. As described above, all the data in the applications accurately belongs to the victim, excluding the contact information - email address and phone number – which is in the group’s control.

It is noteworthy that BlackWidows Group uses a number of services that provide free online SMS receipt for either publicly available numbers or a private number of choice. When two-factor authentication is required for account opening or subsequent activity, the group likely leverages these services to receive the verification messages.

Once the accounts are successfully created, the group sometimes allows them to “age”. The accounts rest with no suspicious activity, and gain a history of seemingly legitimate user login sessions. Aged accounts are more valuable in that they are less likely to trigger anti-fraud controls than newly-registered accounts.

Assessing Your Risk

Cybercriminals and fraudsters engaged in new account fraud often source PII and synthetic identities via the Dark Web. They also buy and sell such accounts on various Dark Web marketplaces and communities. Finally, they share tools and techniques to carry out new account applications and subsequent fraud at scale. Leveraging intelligence collected from the Dark Web and the broader Digital Underground, organizations could learn of upcoming new account campaigns targeting them, discover recently-opened fraudulent accounts, and spot signals of new account fraud.

Through our deep coverage of the Dark Web and the broader Digital Underground, we are monitoring:

  • Active and recent new accounts registration campaigns;
  • Techniques used by cybercriminals for compiling real and stolen identities for account registration;
  • The latest technical tools and configurations used to bypass anti-fraud measures;
  • Contact emails and phone numbers for authentication;
  • and much more.

Contact us to learn how you can leverage this intelligence to disrupt new account fraud.

Don't forget

to Visit

Our Solutions

About the Author

Nicole Abramov is a Threat Intelligence Analyst at Q6 Cyber. Prior to Q6, Nicole was a Cyber Threat Analyst in the Israel Defense Forces.