By Benji Taylor, Senior Director of Service Delivery, Arkose Labs
Cybercrime continues to evolve at an alarming rate. To gain a better understanding of current attack mechanics and perpetrators, my company recently analyzed more than 1.3 billion transactions spanning account registrations, logins and payments across the financial services, e-commerce, travel, social media, gaming and entertainment industries. The most notable trend we discovered was a major spike in human-driven attacks, which rose 90% in Q4 of 2019 compared to six months previously. At the same time, we found that automated attacks — which grew by 25% — are becoming increasingly complex as fraudsters become more effective at mimicking trusted customer behavior.
What’s most interesting about these findings is that cybercrime is no longer solely about making a profit as quickly as possible. Today’s fraudsters are committed to playing the long game, investing ample time, energy and capital to organize sophisticated, multi-step attacks that don’t initially reveal their fraudulent intent and as such, are significantly harder to detect. In fact, the sharp rise in human-driven attacks can be attributed to fraudsters’ latest tactic: leveraging ‘sweatshops,’ i.e. large groups of low-paid workers who carry out launch attacks or make malicious transactions on fraudsters’ behalf.
3 Fraud Trends to Monitor
The trending attacks types that surfaced in our recent analysis demonstrate the unpredictable face of fraud. Fraudsters are showing some surprising routes to monetization and targeting new industries and use cases. Organizations of all sizes, locations and industries must constantly ask themselves, “How can my product or service be used nefariously?” By proactively identifying ways their sites and apps can be abused in the future, they can ensure they are far more resilient to attacks in 2020 and beyond.
- Social media applications have become lucrative targets. Social platforms would not traditionally be associated with high monetization potential for fraudsters, especially when compared to other industries such as ecommerce and finance. However, due to the volume of rich personal data and high user activity levels, social media platforms have become lucrative targets for fraudsters looking to scrape content, write fake reviews, steal information or disseminate spam and malicious content. In Q4 of 2019 there was a dramatic increase in attack volumes for both social media account registrations and logins. In fact, every two in five login attempts and every one in five new account registrations were fraudulent, making this one of the highest industry attack rates. The human versus automated attack mix also rose, with more than 50% of social media login attacks being human-driven.
- Fraudsters are attacking the fun factor in online gaming. As millions increasingly engage in online games, the industry has emerged as a prime monetization avenue for fraudsters across the globe. Our data shows that attacks on gaming platforms are persistent and highly sophisticated, with fraudsters leveraging these applications to use stolen payment methods, steal in-game assets, abuse the auction houses and disseminate malicious content. Simultaneously, fraudsters are using bots to build online gaming account profiles and sell accounts with higher levels, while also targeting online currencies used within select games. Overall, we found that online gaming attack rates grew 25% last quarter, with most of the growth coming from human-driven attacks on new account registration and logins.
- Sweatshops are driving up attack levels and creating new global cybercrime hubs. To combat financial and operational scalability challenges, fraudsters are increasingly relying on sweatshop-like workers to carry out their preparation activities for larger cybercrime attacks. According to our findings, human-driven attack levels increased during high online traffic periods, with peak attack levels 50% higher than seen in Q2 of 2019. The extended fraud ecosystem leverages socio-economic disparities across the globe to tap into low-cost resources with high incentive levels to become involved in cybercrime. Last quarter saw a rise in sweatshop attacks from Venezuela, Ukraine, Vietnam, India and Thailand, while sweatshop attacks originating from the Philippines, Russia and Ukraine nearly tripled compared to Q2 of 2019.
Combating Cybercrime Requires a Zero Tolerance Approach that Stamps out Fraud and Abuse in All Its Forms
Fraudsters are more willing than ever to be resourceful and innovative, often laying the groundwork months in advance via lower cost, yet highly nimble, automated attacks. As long as there is money to be made in fraud and businesses continue to tolerate attacks, fraudsters are going to continue to identify the most effective attack methods to achieve optimal ROI. Collectively organizations must stop accepting current fraud levels as ‘the cost of doing business,’ as this is only exacerbating the problem.
Equally critical in the fight against perpetual cybercrime is taking a careful look at what makes an organization’s product or service successful, and determining how fraudsters may exploit that feature. Take the concept of customer experience, for example. In recent years, organizations have become obsessed with delivering frictionless customer experiences, as digital-savvy consumers have demand instant access to services and fulfillment of purchases.
However, as the fraud landscape hots up, businesses need to find a better way to align their customer experience goals with the highest security standards. Next-generation authentication controls can be used as a positive component in the user journey as long as the methods never alienate true customers and the result is better protection from fraud and abuse – which is the ultimate customer experience killer. Rather than prioritizing a frictionless experience at all costs, targeting intelligent friction at risky traffic will dramatically slow down fraudsters and sweatshops to the point that large-scale attacks are impractical and costly.
Ultimately, the only sustainable option for combating cybercrime is adopting a zero tolerance approach that undermines the economic incentives behind fraud. This requires actively monitoring customer touchpoints for all forms of abuse, and ensuring that malicious users encounter sufficient resistance to disincentivize them. This will put an end to the vicious cybercrime cycle of success, whereby fraudsters learn from successful attacks and reinvest the proceeds of fraud into more data and more advanced tools – stopping the continuous upwards trend of fraud attacks that businesses are currently experiencing.
About the Author
Benji Taylor is the Senior Director of Solution Delivery for Arkose Labs. He has been working in the Online Fraud and Abuse space for the past six years. He loves exploring the constantly changing fraud attack landscape and seeing new verbose ways companies are finding to quickly and effectively mitigate and reduce the attack service for their customers.