September 20, 2018
The Ecommerce Fraud Battleground: Understanding the Dirty Tactics of Identity Theft, Device Spoofing, Malware Attacks and Social Engineering
Posted August 10, 2016
We may feel like it’s a battle but actually ecommerce fraud is an all-out war as cyber criminals wage their relentless attacks on retailers and consumers alike. It’s fertile ground for a cyber crime attack: for most retailers and service providers, the big growth opportunity is coming from digital/online channels as more and more consumers use connected devices to make purchases, stream content or browse for good and services.
Attacks continue their relentless growth
As the size and scale of online transactions grow, so attacks targeting online retailers follow suit. We’re now detecting around 5 million attacks per day globally. Retailers are losing billions. Yet when analyzing fraud, you can’t just look at the short-term battle fallout, but more at the long-term impact of the war and how fraud affects customer behavior. Fraud attacks can end up severely reducing customer interactions with a brand, impacting lifetime value, revenue and growth, not to mention the impact on business reputation and referral rates.
The challenge for online businesses is that ecommerce fraud is an exponentially growing issue, particularly as fraudsters try to exploit new and emerging online payment platforms, and capitalize on the flood of stolen usernames and passwords available for sale of the dark web (following omnipresent high-profile data breaches).
Our network analyzes nearly 2 billion transactions a month from thousands of global online businesses and in the second quarter of 2016, we detected and stopped 69 million attacks on e-commerce transactions – a 90% increase on the previous year.
New account fraud is the front line
Interestingly, new account creations, and account logins are targeted far more than direct payments in the ecommerce space because fraudsters see the creation or takeover of a legitimate account a better long-term prospect than a single payment transaction. Gaining access to a legitimate account gives the fraudster access to sensitive credentials as well as a saved credit card in many instances. If they are clever, they can use this multiple times before being detected.
In addition, we detected a huge 400 million automated bot attacks on global ecommerce merchants in Q2 2016. This is where a fraudster controls an army of zombie computers to perpetrate large-scale, automated attacks, which often take the form of mass identity testing sessions. Fraudsters buy up a list of stolen credentials, and then run an automated attack to see which are valid.
The complex evolution of attacks in a globally connected world
Cyber crime is now a global and organized operation with strong knowledge sharing that supports new and developing attack vectors. This means that fraud attacks are evolving from being isolated instances of fraud on a single consumer to complex, highly organized, global attacks on huge numbers of user accounts, often in a mass automated attack.
We’ve seen an expansion of fraud attacks from traditional card-not-present (CNP) chargebacks to newer account takeover attacks that have exploded because users often use the same email address and shared password across multiple accounts. Stored credit card information simplifies user interactions, especially on connected devices, but represents an easy target for criminals to turn stolen credentials into cash. It is much more lucrative to use a trusted credit card from a valid customer account than it to attempt to re-use a stolen card that has a limited shelf life.
However, fraudsters also have access to stolen payment credentials and we are witnessing a massive increase in credential testing wherein fraudsters test these credentials through a low value transaction at unsuspecting sites like charity organizations or virtual gaming platforms.
The rise in bot attacks is particularly worrying. Where these used to be straightforward high volume attacks that might traditionally have been caught by a web application firewall (WAF), fraudsters are now evolving their attacks to follow a low-and-slow attack pattern, designed to mimic legitimate customer traffic. This makes them much harder to detect unless you can delve deeper into the context of each individual transaction attempt to detect unusual anomalies relating to devices, locations or trusted user behavior.
Social engineering attacks are also extremely popular as fraudsters try to find chinks in the armor of fraud defenses, and these chinks usually come in the form of human behavior. Despite knowing many of the tricks a fraudster can use to dupe us into divulging personal details, attacks have become ‘smarter’. So clever in fact that they are almost pitch perfect, and to the average consumer, are near impossible to detect.
And while loan wolves are inevitably part of this fraud battleground, it is the global, highly organized and well-funded cyber crime networks that are having a greater impact on the evolution of ecommerce fraud. For this reason, it is imperative that businesses adopt a holistic, layered approach to tackling fraud, and also have some way of tracking global threat intelligence so that criminal gangs are tracked and detected.