Fraud Prevention

Sweatshops are Powering the Rise of Human-Driven Fraud

August 19, 20204 min Read

human-driven fraud

Human-driven fraud is on the rise as attackers 'hire' sweatshop-like malicious humans to engage in malicious activity on their behalf and help them launch attacks at scale. Cybercriminals employ human sweatshops for attacks that need more nuanced human behavior, which also makes these attacks difficult to detect and stop.

Digital attackers are in the business of cybercrime for financial gain. They orchestrate strategic attacks with carefully calculated measures to maximize the exploits in the least possible time. This includes maneuvering resources to scale attacks. Automation is a cost-effective method that enables bad actors to achieve scale quickly. However, when bots are stopped in their tracks, attackers shift to human-driven fraud, where human sweatshops enable attacks at scale.

Cybercriminals hire sweatshops to launch attacks at scale

Although some advanced bots can mimic humans closely and appear legitimate, they fail when a higher level of human interaction is required. Attackers 'employ' human sweatshops in such situations that demand more nuanced human interaction. Human sweatshops refer to large groups of low-wage workers who launch attacks at scale. Monetary income and consistent activity are the incentives that pull human sweatshops to engage in human-driven fraud.

Attackers often find cheap human sweatshops-like labor in countries including the Philippines, Venezuela, Vietnam, and Thailand. The hourly wages in these regions are low and it makes economic sense for cyberthieves to get humans from these regions to manually drive attacks.

Coronavirus Special Report: The Impact on Fraud Sweatshops
Coronavirus Special Report: The Impact on Fraud Sweatshops

Human-driven fraud continues to soar

Human sweatshops are usually hired to steal credentials, click on links, as well as for account takeover, new account registration, and disseminating spam. Attackers give these human laborers a target, wherein, they must complete the assigned number of attacks in a given duration. This is how malicious actors ensure achieving scale in an attack.

Human-driven fraud is on a steady rise, although automated attacks still constitute the bulk of all attacks. Our Q3 2020 Fraud and Abuse Report reveals that attacks in Q2 2020 were more human-driven and registered the largest proportion of human fraud over the last four quarters at 41%. Human-driven fraud, particularly, stung technology platforms (57%), retail (20%), and online gaming (41%) in Q2 2020. This only means bad actors are augmenting their attacks by outsourcing nefarious activity to human sweatshops.

How Machines Are Set to Conquer Legacy CAPTCHAs
How Machines Are Set to Conquer Legacy CAPTCHAs

Look beyond mitigation and pure data-driven solutions

Detecting human-driven fraud is tricky. Numerous and frequent data breaches have provided attackers with verified consumer details, which have been used to corrupt digital identities at scale. Cybercriminals share these details with human sweatshops to impersonate genuine customers. Combine this with fluctuating digital behavior of genuine customers, which causes a medley of signals that do not give clear 'trust' or 'mistrust' signals. In fact, human sweatshop laborers may give out 'trust' signals to fool purely data-driven detection solutions into allowing them access to the business network.

What then is the best way to stop human sweatshops from causing havoc on businesses? It is clear that pure data-driven solutions and point solutions cannot effectively stop human-driven fraud. These motivated laborers do not give up until they can circumvent these attack-prevention mechanisms. There are established sweatshops that can be tied back to certain organizations. However, this is not always the case, as there are unknown sweatshops at work too. In such a situation, a fresh approach to tackling human-driven fraud is needed. An approach that increases the efforts and dilutes the returns.

Stop human-driven fraud AND maintain user experience

At Arkose Labs, we use context-based 3D puzzles to block human sweatshops. The Arkose Bot Manager platform assesses and assigns a risk score to every user. It uses device and browser intelligence, canvas fingerprint, completion time, solve rate, and a host of other parameters to distinguish between a true user and a malicious human sweatshop.

This intelligence informs Arkose MatchKey—the challenge-response mechanism—to step-up the complexity of the 3D puzzles for malicious humans. Whether it is by defining the number of rotations allowed or the number of attempts to solve a challenge, the challenges are progressively made harder to solve. This increases the time and resources needed to clear these Arkose MatchKey challenges at scale. When the investments mount as compared to the returns from the attack, the financial viability of the attack is ruined and the business of fraud bankrupted. This forces attackers to give up and move on.

Arkose MatchKey Challenges
Arkose MatchKey Challenges

Arkose Labs' integrated, long-term approach is helping global businesses use targeted friction to effectively fight the menace of human-driven fraud while keeping user experience at the forefront. To learn more about Arkose Labs' approach to tackling human-driven fraud, click here.