Surge in Credential Stuffing Attacks and Europe as a Fraud Epicenter

4 min Read
Q4 2020 Fraud Report

1.3 Billion Attacks Were Detected in Q3 of 2020, with 770 Million Representing Credential Stuffing and 49% Originating from Europe

SAN FRANCISCO, Nov. 12, 2020 (GLOBE NEWSWIRE) — Arkose Labs, provider of online fraud and abuse prevention technology, today released new data-driven analysis of 2020 fraud trends that shows a rise in consumer digital traffic has corresponded with a rise in fraud attacks. As the year progresses and more people than ever are online, historically ‘normal’ online behavioral patterns are no longer applicable and holiday levels of digital traffic continue to occur on a near-daily basis. Fraudsters are exploiting old fraud modeling frameworks that fail to take today’s realities into account, attempting to blend in with trusted traffic and carry out attacks undetected.

“As the world becomes increasingly digital as a result of COVID-19, fraudsters are deploying an alarming volume of attacks, and continually devising new and more sophisticated ways of carrying out their attacks,” said Vanita Pandey, VP of Marketing and Strategy at Arkose Labs. “The high fraud levels that accompany high traffic volumes are likely here to stay, even after the pandemic ends. It’s crucial that businesses are aware of the top attack trends so that they can be more vigilant than ever to successfully identify and stop fraud over the long-term.”

Bot Attacks and Credential Stuffing Skyrocket
In Q3 of 2020, the Arkose Labs network saw its highest ever levels of bot attacks. 1.3 billion attacks were detected in total, with 64% occurring on logins and 85% emanating from desktop computers. Due to the widespread availability of usernames, email addresses, and passwords from years of data breaches, as well as easy access to automated tools to carry out attacks at scale, credential stuffing emerged as the main driver of attack traffic. 770 million automated credential stuffing attacks were detected and stopped by Arkose Labs in Q3.

For Ecommerce, Every Day is Black Friday
The rise in digital traffic for most of 2020 means businesses have been dealing with holiday season levels of traffic since March. With every day now resembling Black Friday, some retailers are better equipped to handle the onslaught of holiday season traffic and fraud. However, it remains to be seen if a holiday sales bump will occur this year, given already record-high traffic levels for many ecommerce businesses.

While much of 2019 saw a marked shift from automated attacks to human sweatshop-driven attacks, automated attacks dominated much of 2020, with Q3 seeing a particularly high spike. This trend is likely to revert back to more targeted attacks in Q4, as during the holiday shopping season fraudsters typically employ low-cost attackers to commit attacks that require human nuance and intelligence.

Europe Emerges as the Top Attacking Region
Nearly half of all attacks in Q3 of 2020 originated from Europe, with over 10 million sweatshop attacks coming from Russia and 7 million coming from the United Kingdom. Many European countries, such as the United Kingdom, France, Italy and Germany, are among those whose GDP shrunk the most since the global pandemic began. A surge in attacks from nations suffering the biggest dips in economic output highlights the economic drivers that spur fraud.

Pandey said, “COVID-19 has sent the world into turmoil, upending digital traffic patterns and introducing long-lasting consequences. Habits formed during 2020 — namely conducting commerce, school, work and even socializing entirely online — will be difficult to let go of, so fraud teams must be capable of quickly cutting through digital traffic noise and spotting even the most subtle signs of attacks. In particular, using targeted friction to deter malicious activity will be key in the months and years ahead.”

The Q4 Arkose Labs Fraud and Abuse Report is based on actual user sessions and attack patterns that were analyzed by the Arkose Labs Fraud and Abuse Prevention Platform from July to September 2020. These sessions, spanning account registrations, logins, and payments from financial services, ecommerce, travel, social media, gaming, and entertainment were analyzed in real-time to provide insights into the evolving fraud and risk landscape. Unsophisticated bot attacks don’t result in a user session and thus have not been included in this report. The report focuses on attacks from fraud outlets that combine state-of-the-art technology with stolen identity credentials and human efforts.

To access the full Q4 2020 Fraud and Abuse Report, please click here.

Read the original press release here.

Media Contacts:
Paul Wilke
[email protected]
+1-415-881-7995

Share Now