In a recent six-month snapshot ending March 31, ThreatMetrix determined that attacks on new account registrations using spoofed and synthetic identities saw the highest rate of attacks followed by account logins and payment fraud.
Nearly one in ten registrations for online services originates from a cybercriminal. New account registrations include applying for new lines of credit, creating a profile on a social networking site or marketplace and enrolling in an authentication scheme.
The most common form of stolen identities is by human or bot-generated fraud attacks directed through proxies and VPNs intended to disguise the true origin of the attacker. These bypass IP address-based geo filter blacklists that also have the downside of unknowingly blocking legitimate visitors.
The economic impact of these attacks varies by industry. However, the common thread is that without automated visibility into the true device, persona, relationship and global behavior, the only alternative is additional verification roadblocks put in front of legitimate customers and extended review and hold-out periods.
Payments fraud attempts, which include online credit card transactions and money transfers, increased from 3.1 percent to 6.4 percent over the six months ending in March 2013. According to Faulkner, several underlying trends help explain this dramatic increase:
- Sophisticated credit card cyber gangs adopting banking malware, normally used to hijack bank accounts, to steal full credit card information from customers as a fake verification step when attempting to log into a bank account
- Increase in percentage of digital goods sold by ThreatMetrix customers that historically have a higher incidence of attack
- Expansion of the ThreatMetrix customers in new geographies and the increase in global commerce as a whole
- The increased availability and adoption of free and commercial VPN services and the growing use of Platform-as-a-Service (PaaS) providers by cybercriminals to set up ad hoc tunneling protocols. VPNs are favored by cybercriminals because they are impervious to proxy piercing technologies and undetected by traditional IP proxy detection services.
ThreatMetrix has observed a rise in the sophistication of account takeover attempts using blended attacks to exploit companies that do not have an integrated solution for malware, device identification and bot protection. These include:
Multi-stage malware exploits: Malware, typically using Man-in-the-Browser (MitB) Trojans, is used to extract login and setup verification credentials from a customer that is then used by a separate device or third party to avoid server-side MitB detection capabilities.
Multi-stage scripted attack exploits: Automated bot attacks test previously breached credentials from third-party sites, exploiting that many people reuse user names and passwords. After checking account balances or verifying whether an account has a stored credit card, a second attack is launched, typically done manually, to avoid any server-side bot detection.