Online fraud isn’t just the work of some teens in their parents’ basements. Most hackers are well-trained professionals employed by a specialized industry. Learning how these workers think is the most effective way to get ahead of their plots.
As in any industry, specialization is queen. Cyberattacks owe much of their success rates to this specialization where every step to defraud individuals is highly developed. Like any business, the ultimate goal is to make money and leverage existing work to keep costs down.
The three stages of fraud
From the moment someone’s data is stolen until it’s used to gain money or assets, there is a process that can be summarized in three steps.
Gathering: Some people specialize in gathering user data, such as login credentials, payment card information, or other personal data, including SSN numbers.
Testing: Once the data is stolen, bad actors need to find out which is useful, and which is not. For example, card numbers may no longer be active, passwords may have changed, or accounts closed. Finding out what data is useful is called testing.
Monetizing: Once cybercriminals have the data and know it is active or accurate, they are ready to use it to make money. For example, they make purchases, siphon reward points, or apply for credit – all using the credentials or information of the unsuspecting victim.
Let’s look at what’s inside each of those three activities.
Gathering data for a fraud attack
Gathering sensitive information is normally done in one of two ways: through breaches or phishing.
Breaches: A bad actor finds a vulnerability in a server or system to access otherwise protected data. Most of the time, the person accessing this data doesn’t use it to attack the victim. Instead, they sell it on the dark web or make it available to other parties for a substantial amount of money, pushing the fresh data down to the next link of the chain.
Accessing the data is easy for the fraudster who does their data shopping on the dark web. The file with data is sometimes as simple as a .txt file or an Excel sheet. In 2019, there were over 15 billion credentials exposed across over 7,000 data breaches, according to RiskBased Security, giving fraudsters lots to choose from.
Phishing: Another way to get user credentials is through phishing. Fraudsters create a fake webpage, often using the logo and branding of a real company, and create an email that links to that page with a fake email domain matching that of a company you may be familiar with. Targeted users are often fooled, especially if it’s a brand they’ve interacted with in the past.
The email often asks victims to change passwords, update credit card information, or purchase a ridiculously discounted item. When the victim clicks on the link and types the information on the fake page, the data is delivered directly to the bad actor. This is a slower way to rack up a list of user credentials, but the quality of the data is better. It’s as recent as it gets, delivered directly by the victim.
Testing stolen data
The next step is testing the data to find what username and password combinations are successful. A password from a breach from two months ago may no longer be active; the same applies to credit card information. Testing is a crucial step to know what information can be used for future monetization and what data can be discarded. Doing this process manually is tedious, but in this specialized industry, there are people who have already solved this problem. Software like SentryMBA can do mass testing in seconds.
There are many other types of credential testing software available commercially, along with tutorials on how to use them. They help fraudsters script their credential testing attacks but also make adjustments to login attempts so, it’s not blatantly obvious that someone is using a script. Some of the functions are:
Controlling velocity: Credential testing software tests the velocity of the attempts and adjusts the number of tries per second and time spent on each attempt. Bad actors know that many eCommerce platforms have at least legacy security in place that detects login attempts that are too fast to be real. By forcing a script to slow down the automated login attempts, bad actors may bypass these security measures.
Manipulating proxies: Lists of random IPs and geolocations mask bad actors’ real locations and IPs. While many security tools can detect when there are several login attempts within the same IP, connection or location, bad actors can cycle through a long list of parameters to appear as a new user every time. By masking this information, attacks can bypass security tools that rely on proxy and device connection information to verify a user.
Solving CAPTCHAs: There are many credential stuffing software solutions that can solve CAPTCHAS. The software interprets and adjusts the CAPTCHA image to solve it, and can manipulate the CAPTCHA image to make it easier for the computer to read. Similar to using photoshop, the software can pre-program how a CAPTCHA image has to be edited to make it easier to read. For example, the bad actor can program the software to increase the contrast of the image, sharpen the image, and indicate how many letters are in the puzzle. It takes a bit of trial and error, but once the software is able to read a good portion of the CAPTCHAS a bad actor is ready to click on “run,” begin the attack, and wait for successful logins (hits).
Note: When there is a failed login, it’s important that merchants set error messages that don’t help bad actors, such as giving hints or failure feedback. It’s better to keep it vague and use messages like “Your username and password combination are incorrect.”
To test other credentials, for example, credit card credentials, fraudsters make test purchases to see if they go through. These are normally low-value purchases, such as pre-ordering a drink from a pizza chain or donating $5 to a charity.
Monetizing stolen data
Once fraudsters have the credentials to access the account, they can monetize in main ways, for example making a purchase or stealing the rewards from the account for a purchase.
If they make the purchase with the stored card on an account, they can reroute the shipping by calling after the purchase and asking the customer service representative to manually change the address. Customer service representatives are often the lowest-paid employees in a company, making them more susceptible to cut corners or share private information if a customer is being difficult.
Bad actors also slip undetected through the checkout with triangulation fraud schemes. Fraudsters use the victim’s credit card to purchase a big-ticket item, have it delivered to a third party who has purchased it, not knowing it is fraudulently purchased.
Another common scheme is stealing customer reward points which fraudsters move to gift cards for their own use. Customer rewards are worth multiple billions of dollars in the U.S. alone, and most are unused. It’s a market ripe for picking.
The common thread between fraud and prevention
There are two things that fraud and prevention have in common: automation and user behavior.
As we’ve seen, bad actors are very skillful at using automation to scale for mass-scale attacks, such as testing hundreds of credentials in a few minutes. This is a trend to look for in protection. If you see sudden spikes in attempted logins using the same browser, you are likely subjected to a mass-scale attack. Because automation handles such high volumes, it is crucial to investigate any spikes or odd changes in your online traffic as soon as possible.
We also see bad actors deviating from the behavior you expect from good users. For example, it’s normal for a good user to make a purchase. But three purchases in a row from a customer who hasn’t made a purchase in months and who recently had ten failed login attempts, is not usual.
A user who creates an account and shortly afterward receives reward points from 20 different accounts could be legitimate, but this deviates from normal behavior. It could be a bad actor who has taken over the other 20 accounts to send points to their new account and is worth investigating.
It’s worth noting that we are seeing a rise in sophisticated attacks where a specialist who understands the expectations of user behavior can intervene at appropriate times. More labor-intensive, these tend to be high-value fraud schemes. In the financial industry alone, 96% of attacks in 2020 showed some of these sophisticated traits.
Think like a fraudster to beat a fraudster
Now that you understand the strategy behind fraud, look at the overall picture to expose unusual activity, and strategize to stop fraud at various points. Use security tools that detect and identify fraud at each customer checkpoint and share information across those placements: access (login), customer interaction, checkout, and purchase.
Stopping threats at login prevents most fraud, and it’s crucial to have a tool that detects automation and unusual behavior at this critical point. But for those who made it through and are able to enter your platform, you need intelligence that detects their common patterns and mitigates the threat. Machine learning with passive biometrics and behavioral analytics detect automation and unusual behaviors, learning new schemes as they are developed and tried.
NuData’s solution continuously verifies a user’s online identity by authenticating the user based on their natural interactions online – behavior that can’t be mimicked or replicated by a third party. Learn more about protecting your organization with passive biometrics and behavioral analytics.
Related to this post: Triangulation fraud, coming to an eCommerce site near you.