Factors Fueling the Growth of eCommerce Fraud
During COVID-19 induced lockdowns, eCommerce transformed the way people shop and provided a shot in the arm to innovative digital payment methods. eCommerce became even stronger as people became accustomed to the convenience of anytime, anywhere shopping, multiple payment options, same-day delivery, and a seamless user experience.
eCommerce ATOs Mean Easy Money for Attackers
The meteoric growth and round-the-clock activity in the eCommerce ecosystem provide bad actors with many opportunities to make easy money.
One of the most popular tactics bad actors use to target eCommerce platforms is account takeover attacks (ATO). Fraudsters use password spraying and credential stuffing to create databases of valid username-password combinations, which they use for account takeover attacks, or sell off to third parties.
How Much Money is Made by Attacking eCommerce Sites?
The Economics of Account Takeover Attacks explains the factors that affect the monetization of compromised eCommerce accounts. In fact, potential returns from an account takeover attack on eCommerce accounts depends on these factors:
The hit rate
This metric defines how many valid sets of credentials will be harvested from the credential stuffing attack. The ratio may vary depending on the industry and the quality of the combo list used. A combo list is a collection of known username and password combinations. For eCommerce websites, the estimated hit rate is about 15% because the usage of an email address as a user ID is quite common. Combo lists with email addresses and passwords are also a lot easier to find. Assuming an average quality combo list with 1 million credentials and a hit rate of 15%, the estimated total number of credentials harvested from a credential stuffing attack on an eCommerce website is 150,000 credentials.
The attacker's reputation
Attackers take advantage of the dark web to sell the credential they harvested through their credential stuffing attacks. A seller’s reputation directly affects how much of their inventory will be acquired. Sellers new in the business with no/low reputation may sell up to 20% of their inventories, whereas more experienced resellers with a medium reputation may sell up to 40% of their inventory. Long-term proven resellers with a very good reputation may sell at least 60% of their inventory.
Account market price
The market price of a user’s credential varies by industry. The average revenue per credential for the commerce sector for an attacker with a good reputation is about $7,200, $4,800 for an attacker with medium reputation and $2,400 for an attacker with low reputation.
A website’s level of protection
The infrastructure needed for a successful attack varies based on the protection a company has in place. The Economics of Account Takeover Attacks reveals that certain sophisticated security solutions can increase the attackers’ cost and significantly erode the revenue potential. That said, expert fraudsters with excellent reputations on the dark web will still be able to make a decent revenue.
When attacking a well-protected site, the number of replays, the lack of fast progress, the complexity of the attack strategy, the rising cost, and the uncertainty of how long the attack will take to complete may unnerve less experienced attackers and convince them to give up early, significantly affecting their inventory and ultimately their net income.
How Much Does It Cost to Attack an eCommerce Account?
The table below lists the revenue potential for attackers of varying reputations for sites protected with a WAF, a bot management solution and an advanced bot management solution such as Arkose Protect™ , respectively.
It is clear that Arkose Labs erodes financial gains from an account takeover attack, rendering it not worthwhile for attackers to persist.
Website protected with WAF
Number of sites attacked | 1 | 2 | 3 | 4 | 5 |
Total cost (yearly) | $624 | $624 | $624 | $624 | $624 |
Potential Income: | |||||
Low reputation | $1,776 | $4,176 | $6,576 | $8,976 | $11,376 |
Medium reputation | $4,176 | $8,976 | $13,776 | $18,576 | $23,376 |
High reputation | $6,576 | $13,776 | $20,976 | $28,176 | $35,376 |
Website protected with a bot management solution
Number of sites attacked | 1 | 2 | 3 | 4 | 5 |
Total cost (yearly) | $9,000 | $9,600 | $10,200 | $10,800 | $11,400 |
Potential Income: | |||||
Low reputation | -$6,600 | -$4,800 | -$3,000 | -$1,200 | $600 |
Medium reputation | -$4,200 | $0 | $4,200 | $8,400 | $12,600 |
High reputation | -$1,800 | $4,800 | $11,400 | $18,000 | $24,600 |
Websites protected with Arkose Protect™
Number of sites attacked | 1 | 2 | 3 | 4 | 5 |
Total cost (yearly) | $18,080 | $27,760 | $37,440 | $47,120 | $56,800 |
Potential Income: | |||||
Low reputation | -$15,680 | -$22,960 | -$30,240 | -$37,520 | -$44,800 |
Medium reputation | -$13,280 | -$18,160 | -$23,040 | -$27,920 | -$32,800 |
High reputation | -$10,880 | -$13,360 | -$15,840 | -$18,320 | -$20,800 |
Increasing Costs, Decreasing ROI, Force Attackers to Give Up
eCommerce platforms using Arkose Protect™ can deter account takeover attempts by making them costlier and increasing the time to complete. Attackers will need to create an elaborate infrastructure, possibly consisting of a laptop orchestrating a set of virtual machines (VM) deployed in a cloud infrastructure generating the attack traffic load balanced through a large set of residential and mobile proxies. The software running on the VM may be an advanced script written in Python or similar languages, or run a full-blown headless browser able to execute JavaScript and mimic more advanced behavior like mouse movement or key presses.
In addition, attackers must invest in a costly proxy service leveraging mobile and residential ISP IP addresses, as a basic proxy service would no longer suffice. Their hosting costs will double (about $100 per month) per site they attack to manage the more complex workflow of solving the Arkose Protect™ challenges. Further, they must integrate the botnet with a CAPTCHA-solving service, which costs about $2.12 per 1,000 requests.
Attackers will spend significantly more time to complete a credential stuffing attack, making the attack more noticeable and prone to mitigation, which increases the number of retries required. Considering that the CAPTCHA solving service requires four tries for every successful validation, a million credentials would need four million requests to validate, costing about $8,480. Therefore, the total annual cost to attack a single website protected with Arkose Protect™ is more than $18,000.
Arkose Labs also requires attackers to devise a more sophisticated attack strategy to avoid detection and ensure that:
The traffic is spread through a large number of nodes, seeing a botnet consisting of over 10,000 nodes spanning several continents is common;
The traffic looks like it is coming from residential and mobile ISP, since traffic coming from data centers is generally considered more suspicious;
The attack traffic mimics the legitimate traffic as much as possible. For example, if users are expected to follow a specific path before reaching a resource, such as first visiting the site’s home page, then accessing the login page, and eventually logging in, the attack traffic must follow a similar workflow;
The expected data is sent with some variety in the fingerprint, yet guaranteeing that the fingerprint is valid to avoid being detected. This is because bot or fraud detection products typically collect a fingerprint client-side consisting of device and browser characteristics and user preferences, which is then evaluated to differentiate bots from humans or uniquely identify devices.
Failed attempts are resubmitted as a large majority of the attack traffic will be successfully detected and blocked or challenged. This increases the time to complete the attack.
Conclusion
Arkose Labs provides digital businesses with superlative bot management capabilities by significantly increasing the cost of and eroding the returns from an account takeover attack. In the absence of any financial returns, bad actors have no choice but to give up on the attack or move on to an unprotected target, ensuring long-term protection for the business.
Book a Meeting
Meet with a fraud and account security expert