Cybercriminals have really taken work from home to a new level. Before the pandemic, fraudsters focused their sophisticated attacks (those more complex threats that attempt to mimic humans) on financial institutions (FIs), but with nearly every vertical being forced to move online, these bad actors are truly expanding their horizons.
Retail, streaming, travel, and digital goods are all sectors that have had to up their fraud prevention game to protect against the more sophisticated methods of attacks that have expanded over this last year.
To learn more about basic and sophisticated fraud attacks across all online verticals, PaymentsJournal sat down with Michelle Hafner, SVP of Product Strategy & Execution at NuData Security, and Tim Sloane, VP of Payments Innovation and the Director of the Emerging Technologies Advisory Service at Mercator Advisory Group.
COVID-19 made the world more digital, and with that digitization came many positive results—customer satisfaction, on-demand services, and contactless payments, to name a few. But with more sophisticated technology came more sophisticated cyberattacks. Fraudsters started to act as “business entities,” using specific modes of attack and pooling resources together to carry out more advanced criminal activity.
These attacks are happening across all industries. Sophisticated attacks are able to mimic human behavior to fool traditional bot detection tools by running scripts that show common browser and application behavior. “While the sophisticated attacks are usually lower in volume than basic attacks, they’re much harder for common security tools to detect,” said Hafner.
The bots use techniques such as spoof locations, pretending to type, and slowing the attack down to more closely resemble human interaction speed. The chart below shows that in the first half of 2020, sophisticated attacks were primarily targeting FIs, with 96% of FI attacks being sophisticated.
Then, the criminals changed their focus and began targeting other industries with these types of attacks, anticipating similar success across verticals. “Not only did consumer behavior shift, but that consumer behavior opened up new vectors of attack,” added Sloane. Aside from financial, the largest percentage of sophisticated attacks occurred during the second half of 2020 in the retail sector. The percentage of sophisticated attacks doubled, from 38% in H1 to 76% in H2. The highest increase from H1 to H2 happened in streaming, jumping from 4% to a shocking 63%.
“During COVID-19 lockdowns, consumers were buying goods online, and the demand for streaming services increased. The attack traffic aligned with how consumers’ purchasing patterns changed, as attackers were trying to maximize their success rates within the industries experiencing high demand, in the hopes that companies wouldn’t be ready to respond effectively,” concluded Hafner.
Sophisticated attacks are coming to town
Fraudsters certainly made their lists and checked them twice because over the 2020 holiday season, there was an increase in sophisticated attacks. Because of the pandemic and subsequent decrease in in-person shopping, the spike in online gift buying started around October instead of its usual end of November kickoff. It is interesting to review this activity to see how consumer behavior changes are reflective of what some might consider as the new normal.
Most cybersecurity outlets prepare for these spikes but not all have the capacity to discover sophisticated attacks. Hafner shared a NuData specific example with the PaymentsJournal Podcast: A sophisticated automated attack at login occurred at a retailer, where a bot was using human work in real time. This attack occurred over a period of several days, with attacks happening hundreds of thousands of times.
“What was happening on these sophisticated attacks was that the fraudsters were going in and testing scripts, so they would present an attack script and attempt to log into a targeted platform like a retailer with a long list of credentials that were bought off the dark web,” explained Hafner. “And if the login attempt failed, the script recorded whether the failure was due to an incorrect credential or a technical problem that may have triggered a [VVM4] [R5] detection tool, such as the login attempt taking place before the page is fully loaded.” When the login inevitably failed because of a technical problem, the scripts know and repeat the attempt with the same credentials.
“That’s a simple way in which an attacker can optimize the list of credentials to get accurate results.”
Additionally, fraudsters will hire human workers for a small fee to solve CAPTCHAs. They also harvest payment information.
Fortunately, out of all of the attempts made, 99.9% were mitigated by NuData’s solution in real time. And with behavior learned by AI, successful mitigation of these future attacks happens at an even higher rate.
Sophisticated or basic: What’s the difference?
We know that there are basic and sophisticated attacks happening, but what’s the difference between the two? “Sophisticated attacks are typically lower in volume than basic attacks, but they’re much harder for common security tools to detect,” said Hafner.
They take a layered approach, and in order to execute them effectively, bad actors must have the ability to scale complex attacks. The bots are mimicking human behavior while also using some form of human interaction. A company called 2captcha.com is enabling ‘work horses’ easily accessible to fraudsters. This means that someone can go to this site, create an account, and solve one CAPTCHA after another while getting paid to do so. Hafner calls this a game-changer for hackers, and expects it to make hybrid scripted human attacks grow in popularity.
In regards to login attacks, many of the login attempts have the incorrect credentials. However, in the first half of last year, 1.4% of login attempts were executed appropriately. In the second half of 2020, that number nearly doubled to 2.6%. “That’s a huge jump in what we were seeing from actual credentials that were legitimate credentials,” added Hafner. “And it’s probably a consequence of COVID scams and the data breaches that we have seen in 2020.”
The ability of fraudsters to generate losses is higher today than ever before. Fortunately, 48% more consumers are concerned about data privacy today compared to a year ago, so it’s clear they’re becoming more aware of how their data is being used and consequently expect a higher security level.
“So, together with an increasingly sophisticated breed of attacks, comes higher end-user sensitivity and an expectation and responsibility for companies to protect consumers. Companies can and should offer this security to them,” concluded Hafner.
A warning for 2021
According to the data from a report by NuData, it is clear that sophisticated attacks are no longer going steady with FIs; it’s happening across every vertical. The traffic volume is trending toward marketplaces with high-demand products, where fraudsters can steal those goods and then sell them on an open market.
“The data that we saw is really where you would expect, where retailers are getting a lot of the sophisticated attacks, digital goods were increasing, and streaming was increasing,” said Hafner.
NuData is always mindful of how it can protect its consumers, leveraging its passive biometrics and behavioral analytics technology to protect different industries across the different user touchpoints. Figuring out a company’s biggest security gap is the first step in mitigating fraud, and a layered sophisticated approach is the best way to catch the nuances of these complex attacks before it’s too late for the company and for the end user.