How online fraud will evolve in 2016

While 2015 is drawing to a close, the security fraud community is preparing for more battles ahead in 2016. And next year, consumer-facing web and mobile apps are up against a much more sophisticated and prolific enemy as bad actors continue to evade traditional security defenses, leverage the latest mobile hacker tools to impersonate legitimate users and take control of consumer accounts en masse.

To prepare users for the year head, researchers at DataVisor released their top 5 online fraud predictions for 2016.

Prediction #1: Social sites become bigger targets as lines between social and e-commerce blur

In 2015, many traditional social networking sites such as Pinterest, Facebook and Twitter announced plans to add “Buy” buttons to their platforms in an effort to increase stickiness with their users and help monetize their user base. Adding e-commerce functionality is a continuing social media trend. However, this will attract more fraudsters looking to conduct fraudulent transactions on these platforms.

In 2016, we expect to see a spike in the overall amount of commerce online for social sites, making it easier for malicious campaigns to hide amongst the billions of legitimate social users. If you have a social property with e-commerce features, you should consider adding security that has the ability to detect both social fraud (fake likes & reviews, spam) and financial fraud (fraudulent transactions, identity theft and promotion abuse).

Prediction #2: EMV cards & digital wallets to shift more fraudulent credit card attacks online

2016 stands to be a record year for Card-Not-Present fraud. According to Javelin Research, CNP fraud is expected to grow from $10B in 2014 to over $19B in 2018. The increasing adoption of the new EMV cards and new digital wallet solutions, such as Apple Pay and Google Wallet, will have the unfortunate consequence of moving fraudsters online to monetize fake and stolen credit cards. While these new technologies are expected to reduce the amount of point-of-sale system fraud and counterfeit credit cards, they will have little to no effect in helping prevent fraudulent transactions online in card-not-present attacks.

In 2016, we expect to see a perfect storm that is bound to result in a high level of fraudulent transactions, powered by the following three trends: a significant increase in e-commerce websites and mobile apps, growing comfort amongst consumers to transact online given 45% of the world’s three billion online users now buy things online, and the adoption of EMV cards and digital wallets. You can tip the scales back in your favor with new advanced online security analytics technologies to keep up with the increased credit card attacks.

Prediction #3: Global O2O wars will increase the rate of user acquisition promotion fraud

In 2015, we saw the war between online-to-offline (O2O) companies heat up as these services made huge investments to expand their footprint across US, China, India and other countries. For example, in an effort to gain marketshare, Uber has invested more than $2B to expand in China and India. Not to be outdone, rival car share service Didi invested over $2B in China and is also funding Lyft in the US and Ola in India.

Much of this money is intended for promotions to attract new drivers and users. Unfortunately, we have seen reports of a huge volume of user acquisition fraud, where drivers make hundreds to thousands of dollars per month in subsidies by registering multiple driver accounts and conducting fake rides. The combination of strong financial incentive and the wide availability of mobile hacking tools such as mobile emulators and GPS location fakers create an ideal environment for fraud to continue to grow in 2016. As O2O companies are considering their global expansion strategies, they need to incorporate online fraud detection into their plans, so they can grow fast without being fleeced in the process.

Prediction #4: Account takeovers will rise as result of continued large data breaches

We are now operating in the era of “peak data breach”. Whether it is your healthcare provider, your university, your favorite retail store or the government, your personal data has probably been stolen by now as a result of one or multiple of these high profile breaches. According to a recent study, the 600+ reported data breaches this year, including major attacks against Anthem, T-Mobile, and the Office of Personnel Management, have resulted in the theft of more than 175 million records.

What does this mean for 2016? The bad actors will look to monetize the stolen user credentials and credit cards over the next year via fraudulent credit card attacks. More seriously, they could launch account takeover (ATO) campaigns leading to identity theft that could drain bank accounts and buy fake goods on your dime. As a result, online merchants and consumers alike need to be on high alert for anomalous purchases and ATO activity in 2016, and take measures to detect these attacks before they do any major damage. Given the wealth of personal data that has already been stolen, the industry needs more attention to the prevention of bad actors from using these stolen credentials as opposed to just trying to stop the breach from occurring in the first place.

Prediction #5: Cyber attackers will move to the cloud

Businesses and consumers are not the only ones moving to the cloud. In 2016, we expect to see the continued migration of cyber attack infrastructure to the cloud, as cloud services become more pervasive and cost-effective. Cloud services such as AWS, Azure and Google Cloud are already victims as fraudsters register a massive number of free, trial accounts and use their computation infrastructure to conduct attacks. Other popular cloud services, including dedicated/virtual hosting (e.g. OVH, Quadranet, Ubiquity Hosting, etc.) and anonymous proxies (e.g. PureVPN, ZenMate), will also become increasingly common among online criminals. Cloud allows cyber attackers to significantly increase the number of attack campaigns they can conduct, attributed to the elasticity and compute capacity of these services, and allows them to easily hide behind legitimate network sources and thus remain anonymous.

In order to protect yourself from attacks launched from the cloud, you need to go beyond simple IP reputation databases and rules/models-based systems to detect these well-organized attack campaigns, since one cannot naively block traffic from the cloud infrastructure. In fact, in our observation, the traffic from cloud infrastructures are highly mixed with both good user and bad user activities. The industry needs to change to more advanced solutions that can distinguish malicious traffic emitted from cloud infrastructure precisely.