Fraud attacks and their avenue of entry are generally regarded as mysteries to most of the companies that suffer from them.
The victims generally don’t know who is on the other side trying to get in and what they are going after, whether its money, privileged access to a network or information such as account numbers. It’s also an issue of determining whether the attacker is man or machine since that can influence the primary defensive strategy employed in response to an attack.
Unfortunately, the trend for data breaches is only getting worse. According to Risk Based Security which recently published its MidYear QuickView Data Breach Report, there were 3,813 data breaches in the first six months of 2019 exposing more than 4.1 billion records. Compared to the midyear of 2018, the number of reported breaches was up 54% and the number of exposed records was up 52%.
Using people for attacks is expensive, which is why automated attacks are favored to as a way to break into a company’s network. According to Arkose Labs’ Q4 2019 Fraud & Abuse Report countries such as China and the Philippines tend to have higher levels of human-driven fraud attacks due to their cheaper labor costs. Arkose noted human-driven fraud attacks can originate from lone fraudsters or organized groups known as sweatshops. In many cases, the actual fraudster who may be in one country, such as Ukraine, will outsource much of the leg work of the attack to a fraud sweatshop in another country, such as Venezuela.
“Fraud attack sweatshops used to be concentrated in the Philippines and now they become much more distributed across different countries. Lower cost locations such as Venezuela and India are on the rise to hosting these sweatshops,” said Vanita Pandey, vice president marketing and strategy at Arkose Labs.
While automated attacks still represent the bulk of all attacks, the rate of human-driven attacks is growing due to success rates in automated attacks declining, Arkose reports. Additionally, China continues to have the highest mix of human-driven attacks whereas the U.S. and Great Britain see the highest levels of overall automated (or bot) mix in their attacks.
It should come as no surprise that human-driven attacks happen in the early hours of the morning peaking between 2am and 10am Pacific time – because that translates to the hours of 6pm to 2am in both Beijing, China and Manila, Philippines as well as between 3:30pm and 11:30pm in New Delhi, India – places where large numbers of fraudsters conducting human attacks live. Arkose Labs noted the variability of human-driven attacks is driven primarily to the “office hours” fraudsters keep and the traffic patterns of the businesses they are trying to attack.
According to Arkose Labs, account registrations are favored human-driven attacks over logins or payments most likely because registering a new account can vary from institution to institution whereas a login is often just a username and password.
Registering a new account is a critical step in committing fraud as it lays the groundwork for future thefts. Fraudsters will do this well in advance as they know companies often have curation rules that require an account to season over time before major purchases and transfers will be allowed.
It’s also a trend that Arkose labs has recently noticed in the traffic it monitors. “Fraudsters are beginning to make attacks in preparation for the holiday,” noted Pandey.
The size and scope of data breaches continues to expand to a wide array of companies with no signs of slowing down. According to a press release from Purdue University’s Global IT group six of the top nine breaches have occurred in the last three years. The scope of these breaches often goes beyond just simple usernames and passwords. In the case of the Starwood breach, which was uncovered when it merged with Marriott, it included credit cards, rewards accounts, names, addresses, and even passports.
The Equifax breach released a staggering amount of information on consumers in the U.S., Canada and the UK. It’s impact on Equifax was equally staggering. The Federal Trade Commission reached a settlement with Equifax that includes $425 million to help affected consumers. It provides affected consumers with 10 years of free credit monitoring and up to $20,000 in cash payments to cover losses and expenses. Starting in 2020 all U.S. consumers are eligible to receive six free credit reports from Equifax per year for the next seven years.
While human fraud attacks are more costly and often require the use of digital fraud sweatshops as far away as Venezuela, India, and the Philippines they are sometimes necessary in order to make a big score. Based on data from Arkose, technology and even finance industries tend to have a greater level of human-driven fraud attacks than gaming and other industries.
Arkose labs reported the higher the potential profit in a fraud attack, the more likely fraudsters will put in manual effort. In other words, the fraudsters will “spend money to take money” if they think the theft will be bigger. Many times fraudsters will use automated attacks as a precursor to a human-driven attack as bots can test the fortress walls companies put up to keep cyber thieves out.
“The gaming industry is experiencing a significant amount of automated attacks, particularly for account registrations. These companies are the gas stations of the internet. Testing free accounts and doing $1 authorizations to see if a stolen card bought on the dark web is still live,” said Pandey.
Bots generate a significant amount of website traffic, yet not all are created equally. Some bots are actually good, helping businesses better serve their customers. For example, in the airline industry there is an ecosystem of online travel agents, aggregators, and competitors that use bots to scrape content, including flight information, pricing, and seat availability, so consumers seeking to book travel can do so with the latest information available.
Based on data from a press release for Distil Network’s 2019 Bad Bot Report, Bad bots, on the other hand, are widely used by companies and criminals for various activities ranging from borderline unethical to illegal. Some of the leading types of bad bot activities include price scraping, content scraping, denial of service, denial of inventory, account creation, account takeover and credit card fraud.
An example of how bad bot can affect an industry is the denial of inventory bot which is targeted at airlines and the live events business. In this case a bad bot will choose an airline flight and select a seat, holding it in a shopping cart as long as possible to deny the seat to real customers. The same thing happens when bad bots deployed by scalpers will attempt to hold concert tickets in virtual shopping carts to reduce available inventory and drive up prices. While the airlines and live event industries deploy timers to limit how long an individual can sit on a shopping cart without buying, an automated bot or bots can do this act repeatedly and indefinitely.
Read the full article by Michael Moeser, PaymentSource here.