The now-common movie trope of a hoodie-wearing teen brute-forcing bank networks and payment systems from their mother’s basement has long been supplanted by the far more advanced, automated and dangerous organized crime rings, making it all the more difficult on IT security teams.
Botnet attacks have more than doubled, increasing 106% year-over-year, with carding incidents rising 111% and scraping attacks skyrocketing a whopping 240% in the same timeframe, according to a study released by PerimeterX last week. The annual Automated Fraud Benchmark Report: E-commerce Edition analyzed billions of user transactions at large online stores over the course of last year. Given the overall increase in all varieties of financial fraud during the pandemic, it is hardly astonishing that these automated schemes by bad actors are sharply on the rise — but automated are particularly worrisome because they have become so easy to perpetrate, even by novice fraudsters, and act as a force-multiplier for bad actors.
“These findings are not surprising to us, unfortunately,” said Liel Strauch, director of cybersecurity research at PerimeterX. “The increase in scraping is not unexpected, but we were surprised by the magnitude of these attacks.”
Indeed, scalping or cyber-scalping attacks — where fraudsters use automated software to buy massive amounts goods or services that are limited, like event tickets — have increased in the volume and variety of the items being scalped, according to Strauch, creating massive amounts of payment fraud that’s so widespread that it’s virtually impossible for financial firms and payments networks to keep up.
“Illustrating the lifecycle of attacks, scraping is leveraged by scalpers so they can be notified once product inventory comes back following a hype sale, for example,” Strauch added.
And cyber thieves are using botnets increasingly to gain a financial advantage in stealing digital assets that they can use or resell, “especially in the online retail space, where e-gift cards and loyalty accounts are heavily used,” Strauch continued.
Savvy cyber thieves are finding new routes to utilize their bots to scrape, validate and fraudulently use legitimate customer personal data and account information, according to the research from the automated fraud report, collected from millions of online customers and hundreds of millions of bits operating on websites, mobile applications and applications last year.
“Mobile apps and websites continue to be the primary way consumers discover, shop and interact with a brand, especially during popular hype sales events,” Kim DeCarlis, chief marketing officer for PerimeterX said in a prepared release. “Stored credit cards, gift card balances, loyalty points and personally identifiable information (PII) make e-commerce apps the ideal target of threat actors who are increasingly leveraging automated attacks.”
And fraudsters have not only gotten more creative in how they use automated attacks — especially botnets — they have also widened their net (so to speak) in terms of how they use the financial and personal information that they steal, according to the research. Individual attacks themselves are “not the only threat,” according to the PerimeterX report. “Online accounts now hold a piece of a user’s identity — which becomes more valuable than simply a stored credit card.”
In other words, fraudsters are making more use of these legitimate financial and personal identities, or using various pieces of information collected from multiple accounts to create “synthetic identities,” which vastly increased their ability to commit fraud and “lay(s) the foundation for the 'web attack lifecycle' by digitally skimming PII to steal information, validating it with credential stuffing attacks, and fraudulently using it to commit ATO or create fake accounts,” according to the report’s findings.
“Attackers are increasingly diverse in their sophistication and attack methods,” Strauch commented in a press release. “This includes technically adept youngsters, amateur botters, savvy professional cybercriminals and cybercrime communities, as well as a growing crime-as-a-service (CaaS) ecosystem that allows just about anyone to get in on the action.”
- Sales of limited-edition sneakers experienced up to 71% of traffic from scalping bots during hype sales events in 2021, an increase from the 2020 peak of 46%
- Peak malicious login attempts increased from 84% in 2020 to 93% in 2021
- The three retail e-commerce segments that saw the most bad bot traffic were Health and Wellness (36%); Hardware, Software and Electronics (33%); and Sports and Recreation (27%)
- 74% of bot attacks came from desktop devices and the remainder from mobile devices
- The most malicious bot traffic globally came from the U.S. and Canada
Automated fraud protection best practices
PerimeterX offers steps to help organizations reduce their risk and better defend against automated fraud, including:
- Assess your risks by conducting an audit of malicious activity
- Identify key web pages and make them harder to scrape
- Review your security infrastructure by identifying the strengths and weaknesses of your existing tools
- Analyze the impact of tools like CAPTCHAs and MFA on consumers
- Utilize machine learning and behavioral analysis to detect and mitigate malicious bots