Attackers use large-scale bots to launch attacks on social media platforms
Social media sites have become lucrative targets for criminals looking for quick monetization. More than half of logins (53%) on social media sites are fraudulent and 25% of all new account applications on social media are fraud, according to the Q3 Fraud and Abuse Report today released by Arkose Labs.
While the digital economy has led to a globally connected ecosystem, one unintended consequence of this digital growth has been the rapid increase in fraud and online abuse.
It has never been easier to connect with people worldwide on social media, gaming platforms or on digital marketplaces – and it has never been easier to launch large-scale automated, organized attacks on businesses from across the globe.
Arkose Labs analyzed over 1.2 billion transactions spanning account registrations, logins and payments from financial services, e-commerce, travel, social media, gaming and entertainment industries, in real time, to provide insights on the evolving threat landscape. The report found that one in 10 transactions are attacks, ranging from automated bots to malicious humans.
“We are in an era where online identity, intent, business, metrics and content can all be faked. This can have serious security and financial repercussions for any business with an online presence, especially as they try to balance risk management with the delivery of exceptional customer experience,” said Kevin Gosschalk, CEO of Arkose Labs. “Meanwhile, the risk landscape is quickly becoming increasingly complex because fraudsters have easy access to sophisticated tools and resources. This means that they can tweak their attack patterns as long they remain profitable.”
Top attack originator
According to the report, the U.S., Russia, the Philippines, UK and Indonesia have emerged as the top originators of attacks, with the Philippines as the single biggest attack originator for both automated and human driven attacks and the U.S. a distant second.
Of the 1.2 billion transactions analyzed, automated attacks represent the bulk of the traffic, ranging from large-scale account validation attacks, to bots blocking seats on an airline to scripted attacks that scrape user data and inventory. Further analysis found that most attacks from China (59.3%) are human driven, which is more than four times higher than the U.S., Russia, the Philippines, and Indonesia.
“Fraudsters are motivated by financial gain and they will continue to deploy malicious techniques as long as there is money to be made. Sometimes fraudsters have to rely on humans to carry out attacks. These attacks cost more, but the value they can extract from the attack makes the investment worthwhile,” said Vanita Pandey, VP Strategy at Arkose Labs. “Developing economies are quickly becoming fraud hubs because they have easy access to sophisticated tools, cheap manual labor and good economic incentives associated with online fraud.”
Social media fraud is skyrocketing
Social media platforms are becoming increasingly influential in the digital economy, allowing consumers to connect with others, share personal information and opinions, make buying decisions, write reviews and consume information.
From account takeover attacks, to fraudulent account creation attacks, to spam and abuse, social media platforms see a variety of attacks from bots as well as organized malicious humans. However, more than 75% of attacks on social media are automated bot attacks.
Unlike other industries, account takeover attacks are more common for social media, with logins twice as likely to be attacked than account registrations. This is driven by the fraudsters looking to harvest rich personal data from the accounts of legitimate users.
“The extremely high attack rate on social media logins is indicative of the value placed on the data fraudsters extract from compromised social accounts,” said Gosschalk. “Because more than 50% of social media logins are fraud, we know that fraudsters are using large-scale bots to launch attacks on social media platforms with the goal of disseminating spam, stealing information, spreading social propaganda and executing social engineering campaigns targeting trusting consumers.”
Technology companies heavily targeted by human driven fraud
The technology segment is heavily targeted by human click-farms and sweatshops, which employ a large group of low-paid workers hired specifically to make fraudulent transactions or create fake accounts. According to the report, 43% of all attacks on tech companies are human driven and account registrations for tech companies are four times more likely to be attacks than logins.
“Technology companies who offer a ‘freemium’ model with quick, frictionless onboarding for new customers are attractive targets for fraudsters looking to test stolen credentials or create fake accounts to access the services,” said Pandey. “2019 is tracking to be a record year for data breaches and all of the recent tech breaches are providing fraudsters with refreshed access to new information. As we head into the holiday season, it is clear that businesses will experience the impact in terms of new fraud attacks.”
Financial services fraud varies by season, time of day
Arkose Labs has observed that 9% of the total login attempts are fraudulent with a third coming from human driven attacks. These attacks focus on taking over a legitimate user’s account to transfer funds or sign up for fraudulent purchases.
The attack mix varies by the time of the day with fraudsters mimicking the daily user traffic patterns and operating during traditional business hours. At the same time, the financial services segment also witnesses seasonality in the attack patterns, with attack volumes and human driven attacks increasing during high-traffic periods, like the tax season in the U.S.
Payment transactions in the travel industry at high risk for fraud
The rise of online travel has created a wealth of convenience and opportunity, but the travel industry is also seeing an increase in fraud.
Payment transactions in the travel industry are 10 times more likely to be attacked, especially from automated bots looking to block inventory, leading to denial of inventory attacks or a significant increase in ticket price. Arkose Labs also found that almost 10% of all login attempts on travel sites are fraud and 46% of all payment transactions for travel are fraud. Travel companies are under attack from fraudsters trying to make fraudulent purchases, conduct denial of inventory attacks or steal hard-earned customer loyalty points, which are essentially liquid cash.
Retail industry attracts sophisticated human attacks
The retail industry experiences the highest volume of human driven attacks, with more than half of attacks being human driven. Unlike bot traffic, inauthentic human traffic is harder to detect as human behavior is unpredictable and highly nuanced.
“Our report sheds profound light on the connected nature of the fraud ecosystem, illustrating how fraudsters deploy different calculated strategies, based on industry and business models, to maximize each attack’s ROI,” continued Pandey. “As we head into the holiday season, this is critical for the retail industry, which sees high volumes of seasonal and human driven fraud. Right now, fraudsters are actively preparing to launch large-scale attacks on retail vendors during the holidays by validating and testing stolen gift cards and identities compromised in recent breaches. The long-term solution to this problem is not rooted in applying new defenses — because fraud will continue to evolve — but rather to break the economics of the attack and eliminate a fraudster’s financial incentive.”