Demo  Arrow | GitHub | Docs | API reference | Contact | Resources
tirreno - Open-source security framework Home Use cases How it works Pricing About
Arrow Download

tirreno » .com/bat » Why fraudsters copy your platform






Resources

tirreno
.com/bat



Why fraudsters copy your platform

March 15, 2026 · 4 min read

Attackers do not always reach your users through your platform. Sometimes they reach them by pretending to be your platform.

Let's take a look at hosting providers. Attackers scan the provider's IP ranges to identify websites using the service, building a list of customers and their contact details. They create a page that looks identical to the hosting provider's control panel login. They send the link to customers through email or messaging, with a message urgent enough to prompt action. Customers visit the fake page, enter their credentials, and at that moment the credentials are lost. The attackers now have valid usernames and passwords for real accounts on the real platform.

The phishing campaign itself is invisible to the hosting provider. It happens on external infrastructure, through external communication channels, against users who have no reason to suspect anything until it is too late. The provider has no way to block the fake page or intercept the phishing emails, and no visibility into which users enter their credentials on the replica.

But what happens next is entirely visible. The attackers use the stolen credentials to log in to the real platform. That login attempt hits the provider's actual authentication system on a device the account has never used, with an IP address inconsistent with the user's history, at a time and location that break the account's established pattern. The phishing is invisible, but the login is not.

Every platform is a target

Hosting providers are one example, but this attack works against any platform with a login page and a user base worth targeting. SaaS applications, e-commerce platforms, financial services, healthcare portals, internal business tools: if your users authenticate with credentials, someone can build a fake version of your login page and harvest those credentials.

The attack scales with automation. Scraping customer lists from public sources, generating phishing pages from templates, and distributing them through bulk email is an industrialized process.

User activity monitoring is not optional. You cannot prevent every phishing campaign that targets your users. You can detect when stolen credentials are used against your real platform, and you can act before the attacker does damage.

MFA helps, but it does not close the door

Multi-factor authentication is the standard defense against credential theft, and it works. An attacker who has a stolen password but no access to the user's second factor cannot complete authentication. For the accounts where MFA is enforced, a successful phish of the password alone is not enough.

MFA raises the cost of credential theft significantly and blocks the majority of opportunistic attacks. It does not eliminate the need to monitor what happens after authentication. The accounts without MFA are exposed to simple credential replay. The accounts with MFA are exposed to proxy-based session capture. Both produce the same result: an attacker logging in from unfamiliar infrastructure with a valid session.

What the stolen credential login looks like

A phishing-sourced login activity has behavioral characteristics that distinguish it from the legitimate user's normal pattern.

Device and location mismatch. The legitimate user logs in from a consistent set of devices and locations built up over months or years of account history. The attacker logs in from a device the account has never seen, from an IP address in a different city or country, on a network type inconsistent with the user's established pattern.

Session behavior after login. A legitimate user who logs in to a hosting control panel browses their sites, checks settings, and follows a pattern consistent with their usage history. An attacker who logs in with stolen credentials goes straight to high-value targets: account settings, payment methods, DNS configuration, email forwarding rules. The session is focused and purposeful in a way that deviates from the account's normal rhythm.

Timing anomalies. The attacker may log in within hours of the phishing campaign being sent, creating a cluster of anomalous logins across multiple accounts in a narrow time window. If several accounts that normally show no login activity suddenly authenticate from unfamiliar infrastructure within the same afternoon, the pattern indicates a coordinated attack rather than individual account compromises.

Rapid account changes. The attacker's priority after gaining access is to secure that access: change the email address, change the password, add a new authentication method. These changes happening shortly after a login from an unrecognized device and location are the strongest takeover signal available.

How tirreno catches the login, not the phish

tirreno monitors user events on your actual platform. It cannot prevent phishing, but it detects the moment harvested credentials are used.

When a phishing campaign hits and multiple accounts begin showing suspicious login activity from new IPs and devices in a short window, the pattern is visible in the activity page in real time. The trust scores drop across affected accounts. Accounts crossing the auto-blacklisting threshold are suspended automatically. Accounts in the review range surface for your team with the full context of what triggered the score.

Timing determines the outcome. A compromised login detected and blocked within minutes limits the damage to a failed attempt. One that goes undetected for days gives the attacker time to change credentials, exfiltrate data, and use the compromised account as a staging point for further attacks.

Getting started

Install. Deploy a tirreno instance for your platform. The administration guide covers setup and configuration.

Send events. Send events to tirreno from your backend for every login attempt (successful and failed), password change, email change, and session activity. Include username, IP, user agent, timestamp, and event type. The developer guide has the API schema.

Apply the account_takeover preset. Open the rules page, activate the preset, and browse the activity page. The behavioral baselines build as login data accumulates. Within days you will have a picture of normal authentication patterns for your user base.

Monitor for coordinated anomalies. When multiple accounts show anomalous logins from unrecognized networks in a short window, you are likely seeing the result of a phishing campaign. The activity page makes this visible as it happens.

Download at tirreno.com/download.
tirreno

Security framework

Use cases

How it works

Pricing

About

Download

Live demo

GitHub

Dockerhub

Documentation

Resource center

Learn

Account takeovers

Insider threat detection

Login & activity monitoring

Field audit trails

API abuse

Bonus abuse

Chargeback management

Fake accounts

Threat hunting

Transaction abuse

HIPAA monitoring

tirreno is an open-source security
framework that embeds protection
against threats, fraud and abuse
right into your product.

General team@tirreno.com
Support ping@tirreno.com
Security atdt@tirreno.com

Terms & conditions
Privacy policy
Imprint | Contact

Rue Galilée 7
1400 Yverdon-les-Bains
Switzerland Switzerland

©2026, tirreno. tirreno© is a trademark of Tirreno Technologies Sàrl. All rights reserved.

Valid HTML 4.01 (1999 specification)



Open-source security framework