Intelligent automated bots are among the newest weapons in the arsenal of cyber criminals, including those seeking to attack financial institutions, as fraud and intrusions increase exponentially on this attack vector.
The tactic is increasingly used across sectors, reflecting the volume and value of digital information.
“A common phrase heard in the past few years is 'data is the new oil,’” says Kevin Gosschalk, founder and CEO of Arkose Labs in the introduction to his company’s research report, 2022 State of Fraud & Account Security Report. “The digital world now encompasses so much of our everyday lives, and data is the valuable commodity that fuels it. It’s not just commerce that operates largely in the digital realm, but also work, socializing, education and much more.”
Indeed, the cybersecurity firm points out that the online “metaverse” could be worth as much as $800 billion by 2024 by Bloomberg Intelligence. “This will lead to an exponentially larger attack surface for fraudsters to target. Rather than just PCs and mobile devices, attackers can compromise smart appliances, connected automobiles and virtual reality devices.”
The Arkose report points out that fraud attacks on financial institutions are not only increasing in volume “but also sophistication.”
“Bots become more nuanced and advanced by the day; able to mimic good users with increasing accuracy and bypass defenses,” according to the Arkose Labs report. “Automation is the key for attackers to be successful in their endeavors. It allows them to attack at such scale and so inexpensively that only a small percentage of their efforts need to be successful to turn a profit.”
At the same time, banks’ business customers are also pouring “time and money into cybersecurity and anti-fraud defenses only to fight a losing battle,” according to Arkose Labs.
Indeed, the financial industry faced twice as many cyberattacks in 2021 as the previous year, but the technology space has five times as many and the travel industry saw 12.5 as many attempted onslaughts.
The Arkose Labs report also noted a rise in login or registration point attacks, which increased by 85% year over year. "Once attackers have compromised an existing account, they can monetize it in a number of ways, such as stealing financial information, reselling the credentials, redeeming accrued loyalty points and more,” according to Gosschalk. “Fake new accounts are used for attacks such as inventory hoarding, content scraping, and sending spam and phishing messages.”
Indeed, the Arkose Labs report points out that the average person now has more than 100 passwords. “These digital accounts, if they are compromised, give attackers access to then commit a wide range of fraud and abuse beyond just stealing personal information,” according to the report. Login and registration intrusions shot up by 85% last year as compared to 2020, largely by the theft of financial information and credentials.
Here again, the Arkose Labs report found that automated services aid in making targeting more enterprises: bots using “scraping” attacks helped compromise at least 45% of traffic on travel sites. Meanwhile, fraudulent accounts tripled last year as compared to 2020, using phishing, scams and the promise of free trial abuse. Attacks on financial firms and financial technology companies were 70% higher last year than in 2020, according to the Arkose Labs’ research.
“Throughout the highs and lows of 2021,” the Arkose Labs report said, “businesses experienced spikes in new and reemerging attack types based on the rapidly changing environment.”
