Cybercriminals are testing exposed credentials for future account takeover attacks
Fraud increased 30% overall in Q3 2019 and bot-driven account registration fraud is up 70% as cybercriminals test stolen credentials in advance of the holiday retail season, according to Arkose Labs.
After analyzing over 1.3 billion transactions spanning account registrations, logins and payments, the report found that one in five account openings were fraudulent. Researchers examined transactions in the financial services, e-commerce, travel, social media, gaming and entertainment industries from July 1, 2019 to Sept. 30, 2019.
“Our report shows the evolving nature of the global cybercrime ecosystem. The monetization channels of fraud have become increasingly complex, which means the incentive and victim is not always immediately obvious,” said Kevin Gosschalk, CEO of Arkose Labs.
“One thing is clear: the way fraudsters are weaponizing compromised data from recent high-profile breaches highlights the deep connectivity of the global cybercrime ecosystem that goes way beyond selling stolen data or knowledge sharing. One attack is a precursor to another attack, and they can be in two different industries, across two different geographies.”
Most attacked customer touchpoint
Digital account registration has become the identity testing mechanism for fraudsters, evidenced in the sharp increase in account creation attacks. Even when an account creation attack fails, it can provide valuable insight into the existence of an account with the business. This information is then used for more sophisticated account takeover attacks.
The report found that identity testing on social, tech and gaming companies continues to be high. Within the technology industry, fake account creations were nine times more likely to be attacked compared to login attempts, increasing five-fold from the previous quarter.
This is because fraudsters are discovering increasingly inventive ways to monetize account creation attacks. An interesting example revealed in the report was abuse detected on a technology platform that offered access to free cloud computing accounts, which was subsequently used to mine for Bitcoin.
“Identity is the new global currency, which explains why fraudsters are prioritizing valuable resources to test and validate identities across disparate industries,” said Vanita Pandey, VP of Strategy at Arkose Labs.
“As we enter the next stage of the post-breach era, when identities have been compromised en masse and fraudsters have access to behavioral information on consumers through hacked accounts, it has never been more difficult to validate digital identity.
“Intelligent step-up challenges can be the missing link to clarify whether an online identity has been corrupted by fraudster or is being exploited by organized sweatshop activity.”
Elevated attack rate on retail payments transactions
There has been a 30% increase in account takeover attacks in the retail industry compared to the previous quarter. Account takeover attacks are a precursor to payment fraud, as most ecommerce companies encourage consumers to create accounts and store payment details to remove friction in the path-to-purchase.
81% of all retail attacks were fraudulent payments transactions, with fraudsters targeting this sector to monetize the identity and payment credentials that have been breached en masse.
“Our report exposes the monetization roadmap criminals take to commit an attack,” said Pandey.
“First, fraudsters test credentials – which we are witnessing in profusion across all industries. Next, they take over accounts. Payment fraud is usually the last step in the attack cycle and the overwhelming volume of fraudulent retail payment transactions in Q3 forecasts a very ominous holiday shopping season.
“Data shows criminals are weaponizing credentials to target businesses when transaction volumes are elevated and all digital commerce companies must be on high-alert.”
“As we head into the holiday season, customer acquisition is top of mind for retailers. Fraudsters know this and will exploit the pressure companies are under to open new accounts and maximize conversion rates,” said Gosschalk.
Human-driven fraud on the rise
Attacks from malicious humans – both lone perpetrators and organized fraud sweatshops—increased 33% over the previous quarter and nearly one in every five attacks are human-driven rather than automated.
Every third attack on financial services is human-driven, with the most sophisticated attacks coming from lone fraudsters with access to stolen identity information and the latest tools.
Over half of the attacks from Russia and China are human-driven, and China continues to have the highest mix of human-driven attacks because of the enormous labor pool available.
“The increase in human-driven fraud highlights why businesses need to rethink the role of friction within their authentication strategy.
“We have spent so much time focusing on acceptance rates, but a little friction is not bad if it allows organizations to properly protect their attack surfaces while giving consumers a simple way to prove they are legitimate,” said Pandey.
Overall, the US experienced the highest number of attacks in Q3 2019.
Financial motivations by country to commit fraud
Using regional economic indicators combined with proprietary data on known attacks, Arkose Labs created an Attack Incentive Index for countries across the globe. The higher the incentive, the more resources they are likely to put behind attacks while still preserving ROI.
Areas with high incentive levels have more ﬁnancial motivation to become involved in cybercrime and will persevere longer than average when they meet resistance or friction before abandoning attacks as they cease to be proﬁtable.
Disparities in wages and cost of labor, differing costs of living and the comparative purchasing power of different currencies shift incentive levels amongst would-be fraudsters.
For example, based on IMF statistics on purchasing power parity, the Russian ruble is a quarter of the value of the US dollar. Therefore, cybercriminals in Russia stand to gain four times the value from defrauding United States businesses as opposed to acquiring rubles.
Russia, the Philippines and Indonesia all have the highest Attack Incentive Index rating and feature in the top five countries from which attacks originate. Philippines is the top attack originator; fraudsters are driven by the low purchasing power of the region, meaning that there are big gains to be won in defrauding western countries.
“Businesses are coming up against global cybercrime networks which are leveraging regions with high Attack Incentive Index ratings, using the economic realities of different locations to their advantage,” said Gosschalk.
“The sooner businesses understand the varying global economic factors which incentivize cyber fraud and inform attack patterns, the sooner they can better protect their attack surfaces. The best defense in today’s fraud landscape is a strategy rooted in prevention, which removes the economic incentive for fraudsters to attack.”