Fraud has changed. As tools to detect and mitigate bot-generated attacks have evolved and improved, criminals are employing cheap human labor to steal account credentials and money. And the economies of several developing nations is making that possible.
"It's cost economics," says Kevin Gosschalk, CEO of Arkose Labs. "Creating fake accounts for referral fraud used to be more cost-effective. But now we have so many more data breaches happening," which means that the cyber black market is flooded with legitimate account credentials available to criminals at affordable prices. "Five years ago that was not a thing."
This means criminals are now employing an almost "sweat shop" style of labor, says Gosschalk, hiring workers in locations like Venezuela, where the hourly wage is so low that it now makes economic sense to pay people to manually carry out fraud with stolen account data, instead of using bots, he says.
"[Attackers are] giving people a script and saying 'here's [the] quota you have to hit,'" says Gosschalk. "Criminals are always trying to figure out what is [the] lowest-hanging fruit. As merchants and companies evolve with defenses, these attackers evolve. Humans just happen to have become the flavor of month."
Now "human-driven" attacks are increasing quickly. Arkose's most recent fraud report, covering Q3 2019, found that attacks carried out directly by humans—both lone perpetrators and organized groups—increased 33 percent over the previous quarter. Nearly one in every five fraud attacks were were manual rather than automated.
"The goal is to look as legitimate as possible," says Vanita Pandey, VP of Strategy at Arkose Labs. "Having humans involved does increase your chance of success. It looks more natural."
Pandey also notes the increase in this hands-on style of fraud highlights why businesses need to rethink the role of friction within their authentication strategy.
The quarterly report looks at over 1.3 billion transactions spanning account registrations, logins and payments in the financial services, e-commerce, travel, social media, gaming and entertainment industries. Overall, fraud increased 30 percent in Q3 2019 and bot-driven account registration fraud is up 70 percent as cybercriminals test stolen credentials in advance of the holiday retail season.
But every third attack on ﬁnancial services is manual, with attacks coming from fraudsters with access to stolen identity information and the latest tools. Over half of attacks that originate from Russia and China are now "human-driven," says Arkose. And China continues to have the highest number because of the enormous labor pool available, according to the report.
The data also highlights attack incentive for countries across the globe, based on their economy. The higher the incentive, the more resources they are likely to put behind attacks while still preserving ROI. For example, if the value of one nation's currency is only a fraction of the US dollar, than the incentive of a criminal in that country to defraud an American business is quite high.
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio