The intelligent bot revolution continues. Eighty-six percent of attacks against accounts are now driven by bots that have become 3 times more complex than those seen in earlier years – making it harder for security teams to detect bot signatures.
Details have been released in the 2022 State of Fraud and Account Security (PDF) published by Arkose Labs. Figures come from an analysis of actual user sessions and attack patterns seen on the Arkose Labs Fraud and Abuse Prevention Platform in 2021. This means that the figures cannot be applied to the entire market, but relate to those companies that have a sufficient fraud problem to seek protection from Arkose.
That said, the report is a stark indication of the growing threat from intelligent bots operated at scale by cybercriminals. Statistics show that 1 in 4 new account registrations are fake; 80% of login attacks are credential stuffing; there’s a 16% increase in mobile attack traffic; and 5 in 6 industries have seen an increase in attacks.
The report also shows how responsive the attackers are to user engagement. As user engagement increases, so do attacks. The gaming industry suffered what Arkose calls ‘unprecedented’ attacks in 2020 – probably due to an increase in gaming during the pandemic-induced lockdowns. As the lockdowns eased in 2021 and the gaming industry implemented new controls, gaming attacks declined 2x faster than user engagement.
The travel industry was also seriously affected by the pandemic restrictions. But as countries began to relax border controls in 2021 and extensive travel returned, so did the attackers. While the retail and financial industries were just a mere two times more likely to be attacked, and tech industries five times more likely, the travel industry was a colossal 12.5 times more likely to be attacked in 2021 than in 2020.
“Loyalty points and buying tickets are once again something people are looking to do, and fraudsters can resell them,” Arkose CEO and founder Kevin Gosschalk told SecurityWeek. “During the earlier stages of the pandemic, people were uninterested in buying airline tickets. Fraudsters couldn’t sell them, so they stopped bothering to defraud airlines,” Now they’re back.
Following this ‘user engagement’ principle, an area to watch in the future is the unfolding metaverse. “The beginnings of a concept known as the ‘metaverse’ means a new attack vector for bad guys,” says the report. “Early insights from our global network show scams, microtransaction abuse, and unfair play to be top threats in a metaverse world.”
The metaverse can be typified by Linden Labs’ Second Life launched in 2003. It’s a virtual world where users can create their own surroundings – and meet other Second Lifers. It has been joined by a massive gaming industry with different online games creating their own virtual worlds, and it will be further expanded by VR and AR. Users, especially among the young, are increasingly drawn into and are spending more of their lives in these virtual worlds. As time goes on, however, metaverse worlds will expand well beyond gaming to include a virtual solution to many existing physical requirements.
Metaverse companies are most likely to be targeted by what Arkose describes as ‘master fraudsters’; that is, more persistent attackers who script together multiple tools, use a combination of bots and fraud farms, and are willing to invest more capital to bypass a single workflow. Already, metaverse companies have seen 80% more bot attacks and 40% more human attackers than other businesses. The potential to steal virtual currency, that can be exchanged for fiat currency, is enormous.
“Another growth area for the attackers is fraudulent accounts,” said Gosschalk. As more activities have moved online, online companies have been looking for ways to attract the customers to their own services. One approach from cloud computing services has been to offer free services to new clients for a short period of time. “What the fraudsters do,” said Gosschalk, “is use the free period to run cryptomining software. They only ‘earn’ a tiny amount of crypto per account before the free period expires or the account gets blocked. But what they do is open millions of these accounts by automation, and then they can start getting real profit.”
The solution to the fraud problem, he said, is a strategy. “First and foremost, you need to understand what the adversary is after – you need to understand how the criminal profits from his actions and the complete path to that profit. So, while payment fraud might appear to be a primary problem, it is really a symptom of other issues. The real problem may be that customer accounts are getting compromised, and those accounts are being used to commit payment fraud. Instead of trying to solve the payment fraud, you should be trying to solve the account compromise problem.”
He suggests that it is important to understand the entire journey of the fraudsters, including both how they get in and how they get their money out. “What you must do is increase their costs all the way through that journey, and you need to do it in a risk adaptive way. You don’t want to apply friction to all your customers because that’s counterproductive. But you want to be acting against everything that may be a little unusual – and perhaps bump it to a manual review.”
We cannot stop criminals, but we can reduce fraud by inflicting damage on the criminal ROI. The intention must be to make online fraud so difficult and costly that the attacker just gives up and goes elsewhere.
San Francisco, Calif-based Arkose Labs raised $22 million in a Series B funding round led by the Microsoft venture fund, M12 in March 2020. Two further rounds in 2021 have brought the total raised by the firm to $106.5 million.