Insight into the growing problem of highly sophisticated fraud

Sophisticated fraud campaigns are beginning to outwit machine learning solutions especially the ones that only detect known fraud patterns based on historic loss experience, according to DataVisor.

The median lifetime of IP fraud signals is only 3.5 days

As bad actors begin using modern technologies (even machine learning) in their attacks, enterprises must bolster detection efforts with a complete solution that can also detect new and emerging fraud patterns and detect them early, or risk being overtaken by fraudsters’ increasingly superior tech prowess.

The Q3 2018 DataVisor Fraud Index Report is a quarterly assessment of trending types and methods of online fraud in commerce and across the Internet. The current report uses information gathered by DataVisor between July and September of 2018, in the course of analyzing sample data of over 40 plus billion events and analyzing over 750 million active user accounts, globally. The analysis also included 4.2 million user-agent strings, 120,000 device types and 500,000 phone number prefixes, among other indicators.

“This quarter’s Fraud Index Report shows that fraudsters are becoming increasingly aware of behaviors that can trigger machine learning fraud detection systems,” said Fang Yu, CTO of DataVisor. “This underscores our contention that conventional machine learning systems are useful only for keeping up with known types of fraud. Unfortunately, when it comes to fraud detection, if you’re just keeping up, you’re already behind.”

The Fraud Index Report finds that fraudsters have become adept at evading static signals, and employ a flexible backend infrastructure so they can change their modus operandi quickly. Out of the fraud signals detected, 36% were active for less than one day, and 64% for less than one week. IP addresses were the most volatile with the median lifetime of IP fraud signals being just 3.5 days.

The report differentiates between high sophistication and low sophistication attacks. Highly sophisticated attackers (typically in the financial sector) can conduct normal online business operations for as much as 18 months before initiating small scale “test” attacks, to determine what responses may be forthcoming from targeted companies. Some 45% of attacks from highly sophisticated fraudsters occurred in these types of staggered stages.

Fraud attacks with higher sophistication also tend to have a more significant “delay” between attack phases. According to the report, in 40% of high sophistication attacks attackers wait for at least one day before mounting their peak attack, while 20% wait more than one month. By contrast, 80% of low sophistication attacks are performed within one day of fake account creation.

Private domains have become popular means of fraudulent user account registration. Registering private domains allows fraudsters to create email accounts en masse, enabling them to bypass phone verification, CAPTCHA, and other authentication methods often required with public email services.

The distribution of the type of IP address fraud signals

The majority of these email domain fraud signals were identified with fraud from third-party sellers, including scams and/or the sale of fake and/or counterfeit items. Fake accounts are also registered solely for the purpose of promotion abuse, or to artificially boost a seller’s reputation by conducting fake purchases or leaving fake comments.

These new fraud methods suggest that existing machine-learning solutions may be insufficient for staying ahead of increasingly sophisticated attack strategies.

“Early detection is essential to preventing fraud, and it’s not enough to have point solutions or model-based methods,” said DataVisor’s Yu. “True prevention requires multiple lenses — a suite of solutions that combines business rules with adaptive AI that can detect both known and unknown fraud patterns. A combined approach enables users to accurately identify known attacks, and to get ahead of newer attack types that typically escape detection.”