Readit NewsWe have seen individuals just trying to get free accounts week after week, who when nudged once pay immediately thousands of dollars even after using fake, stolen or empty cards.
These individuals think they are being cheeky and when they are 'caught' they revert to doing the right thing.
We have seen customers where free tier abusers created 80k+ accounts in a day and cost millions of dollars. We have also seen businesses, like Oddsjam add significant revenue by prompting abusers to pay.
The phycology of abuse is also quite interesting, where even what appears to be serious abusers (think fake credit cards, new email accounts etc.) will refuse a discount and pay full price if they feel they 'got caught'
> What we found were user agents purporting to be from a range of devices including mobile devices, all only ever loading a single page without any existing state like cookies.
> The behavior itself is also strange, how did it load these pages which were often behind an authwall without ever logging in or having auth cookies?
I don't think they mean to say that pages behind authentication were successfully loaded without authenticating. If cookies are required to load the page, you aren't loading it without them. So I read this as "The sessions weren't authenticated, so where on earth did they even find these URLs?"
The answer is that there's a real, authenticated user behind a firewall, and every unknown URL this user visits is getting queued up for the crawler to classify later, query string and all. So the crawler's behavior looks like the user's, but offset by a few seconds and without any state. Presumably the auth wall is doing its job and rejecting these requests.
This led us to believe this page was MitM rather than crawled directly (as they would not be able to impersonate the user)
- "Advanced URL Filtering" seems to have a feature where web content is either can be evaluated "inline" or "web payload data is also submitted to Advanced URL Filtering in the cloud" [1].
- If a URL is considered 2 spooky to load on the user's endpoint, it can instead be loaded via "Remote Browser Isolation" in a remote-desktop-like session, on demand, for that single page only [2].
I think either (or both) could explain the signals you're detecting.
[1]: https://docs.paloaltonetworks.com/advanced-url-filtering/adm....
[2]: https://docs.paloaltonetworks.com/advanced-url-filtering/adm...
An concrete examples of converting a user using these types of cards for free trial abuse is a user who signed up 8 week in a row using different emails, names, IPs and cards. Nudging of these users was enabled and on trying to sign up for their 9th trial they immediately switched back to their original account and converted at full price.