Security Experts:

Head to the Cloud for a Head's Up on Fraud

When it Comes to Finding Fraudsters, You Must Keep Your Head Above the Clouds. 

Modern online fraud attacks are enormous in scale. They are orchestrated by organized crime rings who control large “armies” of fake user accounts to do their bidding. These coordinated malicious user accounts, either created new or obtained via user hijacking, actively target the various features of modern online services for some type of real-world financial gain. This type of attack can include everything from fake reviews to boost business reputation, promotional credits abused to gain an unfair advantage within games, and stolen credit cards used in fraudulent online transactions. Such attacks can cause millions of dollars of loss to the service, in addition to severely degrading brand name reputation and platform integrity.

Cloud ComputingWith the commoditization of cloud computing in recent years, fraudsters and cybercriminals alike have started to take advantage of public cloud services and dedicated/virtual hosting to conduct attacks. Just like how the cloud helps businesses expand their operation without the maintenance overhead, they also allow attackers to significantly scale up their operation, due to the elasticity and compute capacity of these services. In a recent analysis of more than 500 billion events collected from multiple global online services, 18% of user accounts that originated from cloud service IP ranges were fraudulent.

The cloud can do more for the fraudsters than increase the number of attack campaigns they can conduct. It also helps them evade detection by traditional anti-fraud solutions. Traditional solutions rely on patterns or rules of known bad activities such as blacklisted IP address ranges or device fingerprints. However, there is little they can provide on new attack patterns, and fraudsters exploit this greatly to their advantage. 

To defeat device fingerprinting techniques, fraudsters leverage the computing power of cloud servers to create hundreds of thousands of unique “devices” using emulation software (after all, the cloud is built on virtualization). Each fake account now originates from a new, different “device,” making it ineffective to apply device fingerprint checks since those never-before-seen devices lack reputation history. 

To defeat IP blacklists and other rule-based systems based on geolocation, fraudsters use cloud servers as traffic proxies to obfuscate their actual location. By renting out virtual machines on the cloud servers, the fraudsters’ operations would appear to originate from the cloud servers instead of their own machines. They can use servers in multiple different geographic locations, such that the fake accounts they control appear distributed, or servers in specific regions to spoof presence at that location. The latter is useful for conducting fraudulent transactions, where a transaction may be less suspicious if it occurred close to the card holder’s home address, or for conducting ad fraud, where the origin of clicks or installs need to match the advertiser’s targeted demographic. 

Using public cloud services as traffic proxies is similar in functionality to using virtual private networks (VPN). VPN services allow users to route their network traffic through an encrypted tunnel to prevent eavesdropping or other man-in-the-middle attacks, and hide their actual network location. However, traffic routed through VPNs can have higher network latency compared to direct traffic. They are also not completely anonymous - many VPN services keep logs of the network connections and can monitor service usage. By contrast, public cloud providers have limited visibility into the processes running inside virtual machines due to data privacy regulations. 

With malicious activities being hosted on cloud services, a stopgap measure is to block all traffic from cloud service and/or VPN IP address ranges. However, while they can be abused for fraud and cyberattacks, not all traffic from the cloud is bad. There are many legitimate and productive uses of cloud computing, including business applications, content distribution, mobile communications and corporate VPNs. If online services were to implement such blocking policies, it would certainly be disruptive to the large majority of benign cloud users, not to mention driving away legitimate users and potential revenue. 

The rise of cloud-hosted attacks means that online services need to be prepared to handle attack campaigns that are bigger and more automated than ever before. Social network platforms are more likely to be targeted by these massive attacks, even more so than financial services. This is because social attacks have a low profit margin, and hence require a large number of fake accounts to be financially attractive for the fraudsters. Today, there are already massive waves of account registration attacks targeting social network platforms, where one attack campaign can consist of several million fake accounts. 

It’s not just the online services that are victims of these cloud-hosted attacks though. Cloud services also suffer, partly from the brand damage of hosting these attacks, and partly from themselves being the target of fraud and abuse. Fraudsters will take advantage of promotional credits, e.g., certain number of free credits for new users, and register fake accounts so they can use cloud resources for free. They may use stolen credit cards to pay for cloud usage, and walk away while leaving the cloud service with fraudulent transactions and chargebacks. These are the same types of fraud attacks that modern online services face every day. 

In and out of the cloud, fraudsters are getting increasingly better at blending in with the other millions of legitimate online users. It’s no longer good enough to check off the boxes of what makes a user “good” and call it a day, because these cloud services are helping fraudsters become really good at looking “good.” As the security landscape continues to evolve with new technology, online services also need to be aware of how their adversaries are using it (often just as quickly and effectively as they are) and be prepared to deal with them. It’s important to constantly reevaluate user data and your models, because when it comes to finding fraudsters, you must keep your head above the clouds. 

view counter
Ting-Fang Yen is a research scientist at DataVisor, a fraud and financial crime detection service utilizing unsupervised machine learning to identify attack campaigns before they conduct any damage. She received her PhD in Electrical and Computer Engineering from Carnegie Mellon, focusing on the detection of malware communications by applying statistical models and machine learning. She was previously a threat scientist at E8 Security, and principal research scientist at RSA and led projects analyzing enterprise log data to identify malicious insiders and intrusions.