A new report by DataVisor Threat Labs has provided unprecedented insight into the behaviors and attack techniques of some of the world’s largest online crime rings, and revealed their favorite tools and attack techniques for creating accounts and evading detection.
Fraudsters prefer desktop machines
The report, compiled by analyzing telemetry signals gathered by the DataVisor User Analytics Service over the last six months of 2016, showed that 82% of fake accounts originated from desktop machines, compared to only 18% from mobile platforms.
“It is not hard to see why fraudsters prefer desktop — there is no reliable device fingerprint that can be used to uniquely track web users,” the researchers noted. “Creating the appearance of a different user can be as simple as clearing the browser cookie and/or spoofing the user-agent string. By contrast, mobile apps sit directly on the devices and collect more accurate device identifiers, or monitor user behavior within the app, making it harder for fake accounts to avoid detection.”
Another reason is that, on desktop, it’s easy to use emulation software to create hundreds or thousands of virtual devices, which appear as uniquely legitimate users.
When it comes to mobile, criminals prefer Android
On mobile devices, fraudsters prefer Android to iOS (74% vs 25%), as the former are more easily customizable, and there are more Android apps for spoofing GPS location services on the device, forging network requests, automating human-like activities, etc.
Fraudsters favour using the same browsers most regular users prefer: Chrome, Firefox, and IE.
But, interestingly enough, the browser with the highest fraction of fraudulent accounts (94% of its users) is Comodo Dragon, a Chromium-based browser that includes extensive security and privacy features, such as disabling web tracking, using Comodo’s DNS servers instead of the ones hosted by the internet service provider, etc. It seems obvious that fraudsters like it for its privacy features.
Cloud services are a boon for fraudsters, and 18% of accounts originating from cloud service IP ranges are fraudulent.
“Fifty-four percent of the fraudulent accounts on social platforms originated from cloud hosting networks, while two-thirds of fraudulent accounts on financial services are from residential networks. This difference can be attributed to the nature of the attacks — social platforms are frequented by massive waves of fake account registrations made scalable by cloud infrastructure, whereas financial fraudsters are more stealthy, conducting attacks with a combination of scripts and manual work,” the researchers explained.
For mobile gaming, where one of the most costly fraud attacks is user acquisition fraud, fake app installs are commonly performed from cloud hosting networks located in the targeted region, with subsequent engagement activities (e.g., logins, in-app events) generated by mechanical Turks from offshore sites.”
Like most regular users, fraudsters prefer Gmail, Outlook and Yahoo for setting up new fraudulent accounts. “We believe fraudsters use these common email domains, such as Gmail, to appear more like a legitimate user, since domains from suspicious sources like Fake Mail Generator are more likely to be blacklisted by rules-based fraud detection solutions,” the researchers noted.
Finally, most fraudulent accounts are short-lived. 54% of them are created, used, and abandoned within a day. But there is also a considerable percentage (37%) of accounts that are left “sleeping” for months, and will be used mostly in social attacks, as they require trust from the victim to be successful – and older accounts are inherently seen as more likely to be legitimate.