Account Takeover / New Account Origination

Arkose Labs’ Latest Research Report Highlights the Top Attack Patterns & Industry Trends of Q1 2022

May 18, 20225 min Read

Q2 State of Fraud & Account Security

Arkose Labs’ latest research report “Q2 2022 State of Fraud and Account Security” reveals a growing threat to consumers’ digital accounts. Modern digital businesses must keep pace with the top attack trends as identified in the report. They must also use smarter fraud prevention solutions that can help them protect consumers’ account security, long-term.

In the digital-first world, our online activities – work, social media, gaming, dating, for example – have begun defining our digital personas and how others perceive us. Increasing consumer reliance on digital channels has expanded the attack surface and opened up new attack vectors.

Attackers are capitalizing on these opportunities to exploit consumers and cause losses to businesses. They attempt account takeover attacks to hack into genuine consumer accounts and create fake new accounts for high monetization potential, downstream. These attacks damage consumer trust and leave businesses to remediate the losses, once the damage is done.

Attackers maneuver resources according to the target industry

Some industries, such as social media platforms are prime targets for human-driven attacks. On the other hand, for travel companies, there was at least one bot session for every good user session. 

Let us take a closer look at how various industries were attacked in Q1 2022.

  • Social media and dating: Social media platforms are a hotbed for human-led attacks. In Q1 2022, human attacks increased five-fold over Q4 2021. For every three sessions on social media and dating platforms, one was an attack.
  • Travel: Compared to Q4 2021, volumetric attacks drove 2.5 times more attacks in Q1 2022. Attackers were after inventory information; as a result, automated web scraping was the top most attack vector in the travel industry.
  • Gaming: Another industry under attack from human attackers in Q1 2022 was gaming – with nearly 300% more fraud in Q1 2022, driven largely by bot attacks. New fake account registration spiked 86% from Q4 2021. Gaming platforms are no stranger to attacks that shift between bots and human fraud farms, with one in every five attacks being human-driven. 
  • Fintech: Given the monetization potential associated with financial accounts, 75% of the attacks in this industry segment were account takeover attempts. As many as 97% of these attacks were automated.
  • Retail: Another industry where account takeover attacks were rampant was retail. Of all the attacks during Q1 2022 on online retail companies, 80% were ATO attempts. The industry also saw 65% increase in new fake account registrations over Q4 2021, primarily for coupon abuse. Overall, there were 30% more attacks in the first quarter of 2022 than the two years prior.
  • Technology platforms: Attackers targeted tech platforms with new account fraud. The motive of creating fake accounts in hordes was to monetize promos and free trials. Bot attacks increased with a 25% rise over the last quarter.

As for the metaverse companies, attackers are going all guns blazing after them. Using click-farms to appear legitimate, attackers are abusing the communication channels of metaverse companies. The attacks on metaverse pioneers rose 40% over Q4 2021. Our research indicates that microtransaction abuse and unfair play are major threats metaverse companies must watch out for.

Attackers use bots, click-farms, and both to maximize exploits

Bot attacks – one of biggest threats digital businesses face today – rose consistently during Q1 2022. During this quarter, bot-driven attacks were 40% higher than the Q1 average over the last three years. These bot-driven attacks were primarily used for large-scale scraping and low-and-slow ATO attempts.

Intelligent bots – that have advanced human-like capabilities and are better trained for nuanced interactions with fraud defense mechanisms – are making bot detection increasingly harder. These intelligent bots leave complex signatures that need three times the data to collect, analyze, and correlate for a single signature. This extra effort puts additional burden on fraud and security teams.

Attackers extensively use automation to launch volumetric and complex attacks – 93% of all attacks in Q1 2022 were bot-driven. However, they are quick to adapt and use a mix of bots, human click farms, or both, to maximize the exploits with hybrid cyborg attacks. Attackers mobilize their resources, which was abundantly visible in the attacks across industries. While bots enable attackers to overwhelm workflows, they use human click farms for low-and-slow attacks. For instance, attackers used human click farms in 90% attacks on communication channels in gaming, dating, and tech. Click farms are also the attackers’ first choice for in-game abuse, spam and scams, and account takeovers. Persistent attackers usually deploy a mix of both – starting with bots and switching over to click farms when bots get deterred.

It is important to note that attackers have easy access to commoditized resources needed to launch sophisticated attacks. The cybercrime ecosystem – that fuels and profits from these criminal activities – has reduced the barriers to entry even for the rookie attackers. It makes criminal toolkits, 24x7 support, and ‘fraud-as-a-service’ available to the attackers to help them launch sophisticated attacks at scale, and in no time.

Our research shows that in the first quarter of 2022, automated account takeover attacks were 30% higher than the average in the last three years. Further, 4% of all logins were attempted credential stuffing attacks. One in every four new accounts was fake and automated scraping attacks spiked 250% quarter-on-quarter. These statistics indicate the growing threat to consumers’ digital accounts. They also underscore the critical need to enhance consumers’ account security right at the account level.

It is therefore, in the interest of modern digital businesses to keep pace with the current technologies and use smarter fraud prevention solutions that can adapt to the evolving attack tactics for long-term protection.

To learn more about the top attack trends of Q1 2022 and effective ways to counter them, please view the ‘Q2 2022 State of Fraud and Account Security Report’.