Login attempts make up three of every four digital transactions a business has with its customers. Unfortunately for today's increasingly digital organizations, not all user logins are authentic – in fact, across many industries, it's more likely a login attempt is fake.
For its Q3 Fraud and Abuse Report, released today, Arkose Labs analyzed 1.2 billion user transactions conducted between April 1 and Jun. 30, 2019 to gain a sense of the fraud and risk landscape. These sessions span account registrations, logins, and payments from companies in the financial services, ecommerce, travel, social media, gaming, and entertainment industries.
The company discovered a mix of automated and human-driven fraud targeting business transactions across industries. Eleven percent of sessions are attacks, Arkose Labs reports, but the type of fraud and how it's conducted vary based on time of day, industry, and geography.
Consider the tech space, where according to the report, fake login attempts make up 78.7% of fraud instances and account registrations make up the rest (21.2%). Most tech companies offer a "freemium" model with quick onboarding for users, which appeal to attackers looking to test stolen credentials or create fake accounts. Nearly 43% of all attacks on tech companies are human-driven.
Social media is another hotspot for fraud. Fake login attempts make up 89.5% of social media fraud instances, and fake account registrations make up 10.5%, explaining why automated attacks are so common. The popularity of account takeover stems from attackers' motivation to steal personal data, the report states, and 53.3% of all social media login attempts are fraud.
Payments are more likely to be targeted in retail and travel. Automated bots aim to block inventory, a tactic that may lead to denial of inventory attacks or higher prices on tickets. Fraudsters are also after data: by taking over actual user accounts they can access individuals' targeted recommendations, discounts, and personal information.
On a geographical level, the top originators for fraud attacks are the United States, Russia, Philippines, UK, and Indonesia. The Philippines is the single largest attack originator for both automated and human-driven fraud. China mostly relies on human-driven fraud attacks.
Man vs. Machine: Use of Human-Driven Fraud
Attack patterns evolve as businesses deploy new mitigations. When companies find a new tool to detect large-scale automated attacks, unsuccessful fraudsters shift to new, trained bot attacks. As mitigations are released for those, they are turning to human-driven attacks. A growing number of "click farms" or sweatshops employ low-paid people to attempt fraudulent transactions, write fake reviews, or create new accounts using stolen or fake credentials.
Automated attacks comprise the bulk of fraud traffic: it's easiest to automate login attempts, which are fairly straightforward and make up 78.9% of fraud instances. In comparison, account registrations make up 14.8% of fraud attempts, and payments make up 6.3%.
"Those attacks can be carried out by these automated systems," Arkose Labs' vice president of strategy Vanita Pandey says of account takeover. "But then there are areas where human intervention is required." Writing reviews, opening bank accounts, or signing up for a dating app are examples.
Human-driven attacks, while more expensive, may also lead to greater gain. Unlike bot traffic, human behavior is unpredictable and highly nuanced; for this reason, payment fraud and fake account creation are more likely to be done by people. Arkose Labs found nearly one-third of account registration attacks are from malicious humans; both individuals and organized fraud.
Most human-driven attacks are seen in retail, finance, and technology, where person-to-person interaction is typically required; for example, 53% of account registration attacks against tech companies are done by people. This type of activity also varies by time of day: while the digital economy means fraudsters can strike at any time, most human-driven attacks aim to align with the targeted time zone's business hours so as to appear legitimate. This is why human-driven attacks are more popular in the retail industry than any other, researchers report.
Fraudsters target both mobile and desktop traffic, which make up 30.9% and 69.1% of fraudulent traffic, respectively. This also varies by industry. Mobile is hot in social media and retail; in the gaming space, much of fraud traffic comes from consoles. Finance and tech traffic primarily comes from desktop machines, likely due to their larger screen size.
- 7 Biggest Cloud Security Blind Spots
- Capital One Breach: What Security Teams Can Do Now
- New Malware Variant Targets Old Adobe, Office Vulnerabilities
- Haas Formula 1 CIO Builds Security at 230 Miles per Hour
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Culture Eats Policy for Breakfast': Rethinking Security Awareness Training."