In 2021, account security was one of the biggest challenges for businesses as attackers launched credential stuffing attacks, account takeovers, new account fraud, automated scraping, phishing, and a host of other attacks. In 2022, fraud attacks will only become more sophisticated and frequent. Technology that is helping people interact in the new metaverse is also an enabler for attackers to launch strategic attacks at scale. As a result, the current threat landscape leaves digital businesses to deal with newer, more complex, and sophisticated attack types.
Money, the Primary Motivation of a Fraud Attack
I recently sat down with Rinki Sethi, a now-former VP and CISO at Twitter, for a fireside chat to discuss the security outlook for 2022. We had an interesting conversation around the monetization attack techniques from the past several years, the key ways that fraud defense strategies have evolved, and the top industry trends affecting digital businesses.
Although early cyberattacks, dating a couple of decades back, were not that sophisticated, the primary motivation was the same as today – to make money. Back then there was no cloud so the attackers had to build their own infrastructure. Attackers would use social engineering to execute fraud – especially tax fraud to redirect people’s money to themselves. A foiled attack was a sunk cost and the attacker would have to start all over again. Over the years, however, they have become more sophisticated in leveraging technology to monetize compromised consumer accounts in several ways.
Depending on the monetization potential, attackers choose industries and specific ways to attack them. For instance, they create hundreds of fake accounts on platforms that offer free compute to new customers; and use them for crypto mining. A growing trend to watch out for is crypto attack schemes that are on the rise as they promise high returns on investment. Bad actors are engaging in crypto-jacking, crypto mining, and compromising celebrity accounts to ask for cryptocurrencies on their behalf – and doing it at a massive scale.
Attacks on critical infrastructure that can bring down multiple companies simultaneously have now become easier. Over the last few years, attacks on critical infrastructure have morphed and transformed into lucrative targets for attacks with diverse motivation – activism, organized crime, nation-states, and so forth. However, profit-motivated attackers follow the money. In persistent attacks – which often involve a lot more people – attackers lie low for some time and gain a foothold. They remain quiet for months together to act up again later. These persistent attackers do not mind spending time and resources to execute such low-and-slow attacks. This is because such aged accounts can fetch greater monetary benefits as they are perceived more credible in terms of having cleared fraud checks.
Cloud Provides Attackers with Unlimited Opportunities to Attack
The cloud infrastructure is a big advantage for attackers today, as it has expanded the attack surface manifold. It has opened up a vast horizon of diverse attacks – from automated to human click-farm driven – enabling attackers to launch numerous attacks. Today they have easy access to commoditized tools, which makes it easier than ever before to spin up anything and everything in a fraction of the time it took them earlier.
Attackers often target businesses that have poor defenses. They also spend time understanding the defense mechanisms businesses deploy to create ways to circumvent them. Unlike businesses, they are continuously sharing ‘expertise’ and information, which makes businesses vulnerable to multiple attackers. Fraud is now a business and attackers are entrepreneurs, working 24/7 with support services available at scale. Attackers generally time their attacks for weekends or public holidays when support from fraud teams is lean.
Today attackers leverage the latest technologies and have acquired more capabilities. The whack-a-mole strategy is no longer applicable as IPs that were expensive earlier are easily and cheaply available. Attackers can choose from multiple plans from proxy providers and leverage bots and botnets to overwhelm businesses with millions of requests through botnets. This makes it easier for them to scale up the attacks and increase the ROI.
Security in 2022 is Now a Boardroom Agenda
Businesses understand the threats they are vulnerable to and are increasingly investing in creating robust defenses. Security is now a boardroom agenda. Businesses are also putting in efforts to protect against reverse engineering and are creating platforms that are built with security in mind. For example, multi-factor authentication (MFA) is a good solution that forces attackers to pivot to using OTP through SMS. However, it is a costly proposition and increases security costs significantly. To counter diverse regional attacks, businesses can create strategies based on the evaluation of critical risks and center them around their consumers.
Most often security is not the core functional area of a business and gets traded off in favor of business decisions. Furthermore, security, identity, and fraud teams are largely working in silos, which doesn’t help the business. For a robust cybersecurity posture, these teams must work together and share information.
Work with a Security Vendor with High Integrity
It can be hard to keep up with so many innovations in security technology – password-less security, biometric authentication, and so on. Businesses can choose to work with external vendors to meet their security requirements. However, it is important to work with security vendors that have high integrity – who back their claims with data and do what they say. They should be able to understand customers’ pain areas; and if they do not have the required capabilities, they should share the truth upfront. Rinki specifically advises that instead of relying solely on the available marketing material, businesses must also look for customer recommendations and evaluate the product on specified metrics for measurable results.
Today, great security solutions exist that have been built with the mindset of a criminal and can help businesses evolve and adapt to the fast-changing fraud landscape. These security solutions leverage the latest in technology to fight attackers while ensuring minimal disruption to good user throughput. Fraudsters are increasingly impersonating good users. Therefore, classifying incoming traffic into good users and bad actors is key, where device intelligence and behavioral biometrics can prove helpful. Also, businesses must focus on increasing the cost of an attack to such an extent that the attackers give up.
You can watch the webinar '2022 Security Outlook with Twitter CISO Rinki Seth' on-demand here.
Arkose Labs is a globally trusted security provider and we back our solution up with an SLA guarantee and an industry-first credential stuffing warranty. You can book a demo to learn more about this ground-breaking technology.