More attacks, new fraud techniques, and other observations from the front lines

While the recent migration online due to shelter-at-home orders and public closures has heavily affected multiple industries (travel, hospitality, and restaurants, just to name a few), its impact on the financial sector has so far been limited to discussions about the economy. However, financial platforms are — as they have always been — a fierce battleground between risk teams and the most sophisticated fraudsters.

Traffic volume on financial platforms has been relatively consistent over time, although certain types of services such as loan applications have experienced increased volume…

High levels of vigilance must be maintained to ensure security and safety for businesses, their data, and their customers.

Image for post
Image for post

As we continue to process data during the ongoing pandemic crisis, it is already clear that as the virus continues to evolve, fraudsters are continuing to adapt. We are observing complexities that demand heightened vigilance and advanced contextual detection strategies.

Our data indicates that while people’s migration online has been relatively uniform across verticals as well as geographic regions, fraud rates across the platforms they’re increasingly relying on show a great deal of variability. …

People are staying home, and the economy is slowing, but that isn’t stopping the fraudsters. They’re just adapting.

COVID-19 is changing fraudster behavior.
COVID-19 is changing fraudster behavior.

While the rest of the world takes a break in the wake of the COVID-19 outbreak — avoiding travel, skipping shopping, passing on events, staying home from jobs, and more — bad actors are still at work. It’s almost as if nothing has changed. And yet, it has.

The figure below shows the median fraud rate across global online services over the last three months. It appears reasonably stable, hovering a bit above 0.02. At first glance, it seems like business as usual for the fraudsters.

As fraudsters modernize their tactics for spreading toxic content, we must also leverage advanced technology — not just to keep up with sophisticated attacks, but also to be a step ahead.

Image for post
Image for post

User-generated content (UGC) plays an increasingly important role in our digital economy. However, the advancing democratization of online access — a positive in so many ways — also brings with it unique challenges. There are now vastly more “entry points” that enable fraudsters to introduce malicious content into online ecosystems—from messages, posts, and comments uploaded to websites, to names, nicknames, URLs, and social handles placed on public account profiles.

The Modernization of Content Abuse

Online content abuse is, of course, nothing new. Starting from the 1990s, spam content infiltrated messaging services, search engines, and more. Across the previous decade and continuing today, vast armies of…

To prevent downstream damage, account takeover must be dealt with proactively, at the account level.

Image for post
Image for post

Fraud losses have reached staggering levels, and while there continue to be minor fluctuations year-over-year, the overall situation is dire: in 2018 alone, fraud losses hit $14.7 billion. Many different attack types contribute to these numbers, but Account Takeover (ATO) is uniquely devastating, accounting for $4 billion of those 2018 losses. In the e-commerce sector, nearly 40% of all fraud losses in 2018 were due to identity theft and synthetic identities, and this represents almost a 100% increase over the preceding year.

Credential Stuffing

Account compromise come in many forms, with one of the most common being credential stuffing. Given how often…

How to prevent coordinated, automated, big data-scale ATO

Image for post
Image for post

Account takeover (ATO) is not only one of the most dangerous forms of online fraud; it is increasingly one of the most common. The prevalence of readily accessible user data — the result of ongoing massive data breaches — makes this uniquely hard-to-spot attack type particularly appealing to fraudsters, and increasingly powerful automation capabilities are giving rise to an especially damaging breed of ATO. It’s called credential stuffing, and seemingly no organization is immune — in recent months, companies ranging from Dunkin’ Donuts and DailyMotion to OkCupid and Reddit have suffered massive credential stuffing ATO attacks.

Big data-scale ATO

In its simplest form…

Image for post
Image for post

On September 7, 2017, Equifax announced that hackers had gained unauthorized access to certain files on its system. The hackers gained access through a U.S. website application vulnerability, specifically Apache Struts CVE-2017–5638. Apache Struts is an open source MVC framework for building Java web applications. Many companies including Equifax had been alerted about the Apache Struts vulnerability in March 2017. The unpatched vulnerability is what allowed hackers to gain unauthorized access to the Equifax website app from mid-May through July 2017. Had the company patched the vulnerability immediately after receiving the alert the breach would not have occurred.

A total…

Most ad campaigns include a significant percentage of fraudulent inventory — up to 90 percent fraud on any given campaign.

Image for post
Image for post

Mobile marketers are in a race against fraud. Traditional cost-per-impression (CPM) and cost-per-click (CPC) advertising is unreliable since it can be easily overrun by spoofed traffic from automated software. In an effort to better define metrics that identify real and valuable users, the mobile advertising landscape has shifted to cost-per-install (CPI) and cost-per-engagement (CPE) user acquisition models. While it’s more difficult to simulate an active user, it’s not impossible, and fraudsters are always up for the challenge. …

Image for post
Image for post

Device fingerprinting, i.e., collecting information from a device for the purposes of identification, is one of the main techniques used by online services for mobile fraud detection. The goal is to recognize “bad” devices used by fraudsters, such that they can be identified even when other attributes (such as user names or IP addresses) change.

In the browser era, device fingerprints typically took the form of browser and OS configuration information and/or persistent HTTP cookies. However, as more and more online services shift to a “mobile-first” or “mobile-only” strategy, device fingerprinting technology also took on an entirely new form. The…

With so much money to be made (and stolen) in the ad industry, fraudsters are going to continue to find ways to get paid.

Image for post
Image for post

The mobile app landscape is extremely competitive. With more than three million apps available today in the major app stores, a new app has slim chances of standing out and making it to the top of the charts. Install ad campaigns are increasingly popular (if not necessary) for app marketers.

But install fraud is an increasing problem. In 2015, mobile app-install ad spending reached $3 billion, making up 10 percent of all mobile ad spending and increasing at 80 percent per year. In the U.S., …

Ting-Fang Yen

Ting-Fang Yen is Director of Research at DataVisor, a startup providing big data security analytics for online services and financial institutions.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store