Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Head to the Cloud for a Head’s Up on Fraud

When it Comes to Finding Fraudsters, You Must Keep Your Head Above the Clouds. 

When it Comes to Finding Fraudsters, You Must Keep Your Head Above the Clouds. 

Modern online fraud attacks are enormous in scale. They are orchestrated by organized crime rings who control large “armies” of fake user accounts to do their bidding. These coordinated malicious user accounts, either created new or obtained via user hijacking, actively target the various features of modern online services for some type of real-world financial gain. This type of attack can include everything from fake reviews to boost business reputation, promotional credits abused to gain an unfair advantage within games, and stolen credit cards used in fraudulent online transactions. Such attacks can cause millions of dollars of loss to the service, in addition to severely degrading brand name reputation and platform integrity.

Cloud ComputingWith the commoditization of cloud computing in recent years, fraudsters and cybercriminals alike have started to take advantage of public cloud services and dedicated/virtual hosting to conduct attacks. Just like how the cloud helps businesses expand their operation without the maintenance overhead, they also allow attackers to significantly scale up their operation, due to the elasticity and compute capacity of these services. In a recent analysis of more than 500 billion events collected from multiple global online services, 18% of user accounts that originated from cloud service IP ranges were fraudulent.

The cloud can do more for the fraudsters than increase the number of attack campaigns they can conduct. It also helps them evade detection by traditional anti-fraud solutions. Traditional solutions rely on patterns or rules of known bad activities such as blacklisted IP address ranges or device fingerprints. However, there is little they can provide on new attack patterns, and fraudsters exploit this greatly to their advantage. 

To defeat device fingerprinting techniques, fraudsters leverage the computing power of cloud servers to create hundreds of thousands of unique “devices” using emulation software (after all, the cloud is built on virtualization). Each fake account now originates from a new, different “device,” making it ineffective to apply device fingerprint checks since those never-before-seen devices lack reputation history. 

To defeat IP blacklists and other rule-based systems based on geolocation, fraudsters use cloud servers as traffic proxies to obfuscate their actual location. By renting out virtual machines on the cloud servers, the fraudsters’ operations would appear to originate from the cloud servers instead of their own machines. They can use servers in multiple different geographic locations, such that the fake accounts they control appear distributed, or servers in specific regions to spoof presence at that location. The latter is useful for conducting fraudulent transactions, where a transaction may be less suspicious if it occurred close to the card holder’s home address, or for conducting ad fraud, where the origin of clicks or installs need to match the advertiser’s targeted demographic. 

Using public cloud services as traffic proxies is similar in functionality to using virtual private networks (VPN). VPN services allow users to route their network traffic through an encrypted tunnel to prevent eavesdropping or other man-in-the-middle attacks, and hide their actual network location. However, traffic routed through VPNs can have higher network latency compared to direct traffic. They are also not completely anonymous – many VPN services keep logs of the network connections and can monitor service usage. By contrast, public cloud providers have limited visibility into the processes running inside virtual machines due to data privacy regulations. 

With malicious activities being hosted on cloud services, a stopgap measure is to block all traffic from cloud service and/or VPN IP address ranges. However, while they can be abused for fraud and cyberattacks, not all traffic from the cloud is bad. There are many legitimate and productive uses of cloud computing, including business applications, content distribution, mobile communications and corporate VPNs. If online services were to implement such blocking policies, it would certainly be disruptive to the large majority of benign cloud users, not to mention driving away legitimate users and potential revenue. 

The rise of cloud-hosted attacks means that online services need to be prepared to handle attack campaigns that are bigger and more automated than ever before. Social network platforms are more likely to be targeted by these massive attacks, even more so than financial services. This is because social attacks have a low profit margin, and hence require a large number of fake accounts to be financially attractive for the fraudsters. Today, there are already massive waves of account registration attacks targeting social network platforms, where one attack campaign can consist of several million fake accounts. 

It’s not just the online services that are victims of these cloud-hosted attacks though. Cloud services also suffer, partly from the brand damage of hosting these attacks, and partly from themselves being the target of fraud and abuse. Fraudsters will take advantage of promotional credits, e.g., certain number of free credits for new users, and register fake accounts so they can use cloud resources for free. They may use stolen credit cards to pay for cloud usage, and walk away while leaving the cloud service with fraudulent transactions and chargebacks. These are the same types of fraud attacks that modern online services face every day. 

In and out of the cloud, fraudsters are getting increasingly better at blending in with the other millions of legitimate online users. It’s no longer good enough to check off the boxes of what makes a user “good” and call it a day, because these cloud services are helping fraudsters become really good at looking “good.” As the security landscape continues to evolve with new technology, online services also need to be aware of how their adversaries are using it (often just as quickly and effectively as they are) and be prepared to deal with them. It’s important to constantly reevaluate user data and your models, because when it comes to finding fraudsters, you must keep your head above the clouds. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.