The ever-increasing digitization of commerce has opened up new attack vectors, providing fraudsters with the opportunity to diversify their attacks across multiple touchpoints and devices. This also means attacks are increasingly getting intertwined as fraudsters look to maximize their ROI
Fraudsters deploy a mix of tactics to target the account entry points across devices – whether it is through account takeover or fake new account registrations. An interesting trend emerging from the analysis of traffic on Arkose Labs network is that attacks against logins and registrations are not always independent. During the initial months of 2021, the Arkose Lab team uncovered attacks on the registration flow that were followed immediately by an attack on the logins. This points to the modus operandi which is simple and obvious – a declined registration is an indication that an account already exists, leading the attacker to switch over to an account compromise attack, instead.
While more than a third of the attacks detected on the Arkose Labs Network during the first six months of the year were fake new account registrations, fraudsters attempted account takeover attacks equally strongly with 37% of attacks targeting the user login point.
Let us look at some of the attack trends that dominated the first half of 2021:
New Account Fraud:
Fraudsters create multiple fraudulent accounts to use them for a wide range of in-platform abuse, such as spam, phishing, and information scraping. New account fraud rose 70% in the first half of 2021 as compared to the end of 2020. At its peak, a single-week spike in new account fraud reached the 43 million mark.
As businesses look to acquire more customers, they are making the onboarding process easier for new customers, as well as offering various schemes such as joining bonuses, free server time, virtual currency, loyalty points, and so on. These incentives are also attracting fraudsters, who abuse the registration process through the use of synthetic or stolen credentials to monetize bonuses and infiltrate platforms. This can lead to a wide spectrum of fraud types such as spam, phishing, and carding that are not only harder to detect but are also more expensive to block and can significantly damage the brand reputation of the business in the process.
Credential stuffing continues to be the prevalent attack tactic that digital businesses must be wary of. Low barriers to entry, easily available commoditized tools, and large swaths of stolen customer data are making it all too easy for attackers to effect credential stuffing attacks. All they need is a database of stolen credentials that can be added to an automated tool; and in no time validated username-password combinations are obtained. This allows fraudsters to continually profit from these high-volume credential stuffing attacks.
In the first half of 2021, about 29% of all attacks and 36% of automated attacks on the Arkose Labs Network were credential stuffing attacks. The Arkose Labs network detected and stopped 285 million credential stuffing attacks, with spikes of upwards of 80 million in a single week.
Logins have traditionally stood out as the most attacked customer touchpoint across the Arkose Labs network. Credential stuffing is the first step in account takeover attacks, as it provides fraudsters with lists of validated username-password combinations that can then be used to take over real user accounts and monetize them in several ways. These include draining compromised accounts of funds, stealing and reselling personal data, selling lists of known verified username and password combinations, and using the compromised accounts to launder money gained from other illegal enterprises.
During 2021, there has been a sharper increase in mobile attack rate when compared with that at the end of 2020. In the first half of 2021, the mobile attack rate was 24% as digital traffic originating from mobile devices was 50% of all digital traffic, up from 35% in the second half of 2020.
As mobile continues to become the preferred channel for consumers to interact with their favorite platforms, fraudsters are fast adapting to this trend in order to blend in with the “normal” consumer behaviors. This is especially true for industries such as gaming, retail, and travel, where people are increasingly using mobiles for digital interactions.
With device spoofing tools within easy reach, mobile attacks no longer need deep technical skills. Attackers are leveraging mobile across a multitude of touchpoints – there was a massive spike witnessed on the Arkose Labs networks across touchpoints including logins, in-platform abuse, and transactions. Mobile attacks rose 75% in logins, 183% in payments, and 600% in abuse.
Human-Driven Attacks vs Bots:
During the first half of the year, there was a 6-fold increase in the human-driven attack rate vs bot attacks when compared with the figures seen at the end of 2020. This is again an indicator of the growing trend of fraudsters leaning towards hybrid and human-assisted attacks at scale. While, earlier, human-driven attacks were low, they are now becoming a rising concern for businesses across industries – especially gaming and technology platforms. The geographical areas worst affected by human-driven attacks are Europe, North America, and Asia.
This is not to suggest that bots have taken a backseat. On the contrary, bots are becoming increasingly advanced and can mimic humans far more accurately in terms of key presses, mouse movements, and clicks. And, since they are easily and cheaply available, they can be deployed at a massive scale and to evade detection. Fraudsters are using bot-driven attacks to scrape information and hoard inventories, especially on travel websites, with 95% of the attacks being automated scraping attacks, which enables them to steal inventory availability or pricing detail that can be sold off to competitors.
Businesses are, therefore, finding it harder than ever to detect these evolved bots, and need robust protection in place to be able to accurately differentiate between human-like bots and real users.
Protecting Multiple Touchpoints from Fraud Attacks
As the interaction between consumers and businesses continues to spread across numerous digital touchpoints, fraudsters have found innumerable opportunities to exploit this expanded attack surface. They have easy access to tools and tricks as well as stolen data in plenty. Furthermore, an increase in smart, internet-connected devices are supplementing the opportunities to attack even more. Digital businesses are therefore under tremendous stress to balance fraud prevention with user experience, as trading one-off for the other can lead to loss of revenue.
Digital accounts are now at the center stage of all consumer activity and therefore, businesses are obliged to maintain the integrity of these accounts, while ensuring a great customer experience. Businesses need solutions that can prepare them to deter fraud instead of cleaning up after the mess has been left behind by fraudsters. Unfortunately, legacy and point fraud defense solutions are no match to today’s evolved attack techniques. Businesses need a fresh, proactive approach to fight a digitally savvy opponent, without disrupting user experience for genuine users.
Arkose Labs’ zero tolerance to fraud approach means use of targeted friction to shutter down the gates for fraudsters. Using real-time risk assessment, all users are afforded a chance to prove their authenticity by way of 3D interactive puzzles. Good users find it fun and clear these challenges without a fuss, but bots and automated scripts fail. Malicious human attackers are presented with adaptive step-up challenges that keep increasing in volume and complexity to ultimately bankrupt the business model of fraud and render the attack financially non-viable.
Arkose Labs is organizing its second Bankrupting Fraud Summit on November 9-10, 2021, where participants can learn how to protect their businesses from diverse attacks across multiple touchpoints. Book your seat now.