Concerns raised over holiday cybercrime attacks.
Two cybersecurity reports paint a dreadful end-of-the year picture: one forecasts major data breaches fueling a holiday retail cybercrime spree; the other suggests financial institutions on the hook for any incidents.
Fraud increased 30% overall in the third quarter 2019 and bot-driven account registration fraud is up 70% as cybercriminals test stolen credentials in advance of the holiday retail season, according to “The Q4 Fraud and Abuse” by San Francisco based Arkose Labs, which provides a platform combining telemetry with an adaptive step-up challenge to identify bad actors. The study provided insights into the cybercrime ecosystem and how criminals are preparing for large-scale digital commerce attacks in this year’s last quarter.
The report analyzed over 1.3 billion transactions spanning account registrations, logins and payments, in the financial services, e-commerce, travel, social media, gaming and entertainment industries, from July 1, 2019 to Sept. 30, 2019.
Arkose Labs found one in five account openings were fraudulent and an elevated attack rate on retail payment transactions forecasts a record-high holiday fraud season. Account takeover attacks are a precursor to payment fraud. Eighty-one percent of all retail attacks were fraudulent payments transactions.
Kevin Gosschalk, CEO of Arkose Labs, said, “One thing is clear: the way fraudsters are weaponizing compromised data from recent high-profile breaches highlights the deep connectivity of the global cybercrime ecosystem that goes way beyond selling stolen data or knowledge sharing. One attack is a precursor to another attack, and they can be in two different industries, across two different geographies.”
Among the other findings:
- Digital account registration on social, tech and gaming companies has become the identity testing mechanism for fraudsters. Even when an account creation attack fails, it can provide valuable insight into an account’s existence. Within the tech industry, fake account creations, nine times more likely attacked compared to login attempts, increased five-fold from the second quarter.
- Attacks from malicious humans – both lone perpetrators and organized fraud sweatshops — increased 33% over the previous quarter; and nearly one in every five attacks (every third attack on ﬁnancial services) is human-driven.
“Our report exposes the monetization roadmap criminals take to commit an attack,” Vanita Pandey, vice president of Strategy at Arkose Labs, said. “First, fraudsters test credentials – which we are witnessing in profusion across all industries. Next, they take over accounts. Payment fraud is usually the last step in the attack cycle and the overwhelming volume of fraudulent retail payment transactions in quarter 3 forecasts a very ominous holiday shopping season.”
By Roy Urrico