High levels of vigilance must be maintained to ensure security and safety for businesses, their data, and their customers.

As we continue to process data during the ongoing pandemic crisis, it is already clear that as the virus continues to evolve, fraudsters are continuing to adapt. We are observing complexities that demand heightened vigilance and advanced contextual detection strategies.

Our data indicates that while people’s migration online has been relatively uniform across verticals as well as geographic regions, fraud rates across the platforms they’re increasingly relying on show a great deal of variability. …

While the rest of the world takes a break in the wake of the COVID-19 outbreak — avoiding travel, skipping shopping, passing on events, staying home from jobs, and more — bad actors are still at work. It’s almost as if nothing has changed. And yet, it has.

The figure below shows the median fraud rate across global online services over the last three months. It appears reasonably stable, hovering a bit above 0.02. At first glance, it seems like business as usual for the fraudsters.

User-generated content (UGC) plays an increasingly important role in our digital economy. However, the advancing democratization of online access — a positive in so many ways — also brings with it unique challenges. There are now vastly more “entry points” that enable fraudsters to introduce malicious content into online ecosystems—from messages, posts, and comments uploaded to websites, to names, nicknames, URLs, and social handles placed on public account profiles.

The Modernization of Content Abuse

Online content abuse is, of course, nothing new. Starting from the 1990s, spam content infiltrated messaging services, search engines, and more. Across the previous decade and continuing today, vast armies of…

Fraud losses have reached staggering levels, and while there continue to be minor fluctuations year-over-year, the overall situation is dire: in 2018 alone, fraud losses hit $14.7 billion. Many different attack types contribute to these numbers, but Account Takeover (ATO) is uniquely devastating, accounting for $4 billion of those 2018 losses. In the e-commerce sector, nearly 40% of all fraud losses in 2018 were due to identity theft and synthetic identities, and this represents almost a 100% increase over the preceding year.

Credential Stuffing

Account compromise come in many forms, with one of the most common being credential stuffing. Given how often…

Account takeover (ATO) is not only one of the most dangerous forms of online fraud; it is increasingly one of the most common. The prevalence of readily accessible user data — the result of ongoing massive data breaches — makes this uniquely hard-to-spot attack type particularly appealing to fraudsters, and increasingly powerful automation capabilities are giving rise to an especially damaging breed of ATO. It’s called credential stuffing, and seemingly no organization is immune — in recent months, companies ranging from Dunkin’ Donuts and DailyMotion to OkCupid and Reddit have suffered massive credential stuffing ATO attacks.

Big data-scale ATO

In its simplest form…

On September 7, 2017, Equifax announced that hackers had gained unauthorized access to certain files on its system. The hackers gained access through a U.S. website application vulnerability, specifically Apache Struts CVE-2017–5638. Apache Struts is an open source MVC framework for building Java web applications. Many companies including Equifax had been alerted about the Apache Struts vulnerability in March 2017. The unpatched vulnerability is what allowed hackers to gain unauthorized access to the Equifax website app from mid-May through July 2017. Had the company patched the vulnerability immediately after receiving the alert the breach would not have occurred.

A total…

Mobile marketers are in a race against fraud. Traditional cost-per-impression (CPM) and cost-per-click (CPC) advertising is unreliable since it can be easily overrun by spoofed traffic from automated software. In an effort to better define metrics that identify real and valuable users, the mobile advertising landscape has shifted to cost-per-install (CPI) and cost-per-engagement (CPE) user acquisition models. While it’s more difficult to simulate an active user, it’s not impossible, and fraudsters are always up for the challenge. …

Device fingerprinting, i.e., collecting information from a device for the purposes of identification, is one of the main techniques used by online services for mobile fraud detection. The goal is to recognize “bad” devices used by fraudsters, such that they can be identified even when other attributes (such as user names or IP addresses) change.

In the browser era, device fingerprints typically took the form of browser and OS configuration information and/or persistent HTTP cookies. However, as more and more online services shift to a “mobile-first” or “mobile-only” strategy, device fingerprinting technology also took on an entirely new form. The…