Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/26/2019
04:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

More Than Half of Social Media Login Attempts Are Fraud

Overall, account registrations for tech companies are four times more likely to be malicious than legitimate, a new report states.

Login attempts make up three of every four digital transactions a business has with its customers. Unfortunately for today's increasingly digital organizations, not all user logins are authentic – in fact, across many industries, it's more likely a login attempt is fake.

For its Q3 Fraud and Abuse Report, released today, Arkose Labs analyzed 1.2 billion user transactions conducted between April 1 and Jun. 30, 2019 to gain a sense of the fraud and risk landscape. These sessions span account registrations, logins, and payments from companies in the financial services, ecommerce, travel, social media, gaming, and entertainment industries.

The company discovered a mix of automated and human-driven fraud targeting business transactions across industries. Eleven percent of sessions are attacks, Arkose Labs reports, but the type of fraud and how it's conducted vary based on time of day, industry, and geography.

Consider the tech space, where according to the report, fake login attempts make up 78.7% of fraud instances and account registrations make up the rest (21.2%). Most tech companies offer a "freemium" model with quick onboarding for users, which appeal to attackers looking to test stolen credentials or create fake accounts. Nearly 43% of all attacks on tech companies are human-driven.

Social media is another hotspot for fraud. Fake login attempts make up 89.5% of social media fraud instances, and fake account registrations make up 10.5%, explaining why automated attacks are so common. The popularity of account takeover stems from attackers' motivation to steal personal data, the report states, and 53.3% of all social media login attempts are fraud.

Payments are more likely to be targeted in retail and travel. Automated bots aim to block inventory, a tactic that may lead to denial of inventory attacks or higher prices on tickets. Fraudsters are also after data: by taking over actual user accounts they can access individuals' targeted recommendations, discounts, and personal information.

On a geographical level, the top originators for fraud attacks are the United States, Russia, Philippines, UK, and Indonesia. The Philippines is the single largest attack originator for both automated and human-driven fraud. China mostly relies on human-driven fraud attacks.

Man vs. Machine: Use of Human-Driven Fraud

Attack patterns evolve as businesses deploy new mitigations. When companies find a new tool to detect large-scale automated attacks, unsuccessful fraudsters shift to new, trained bot attacks. As mitigations are released for those, they are turning to human-driven attacks. A growing number of "click farms" or sweatshops employ low-paid people to attempt fraudulent transactions, write fake reviews, or create new accounts using stolen or fake credentials.

Automated attacks comprise the bulk of fraud traffic: it's easiest to automate login attempts, which are fairly straightforward and make up 78.9% of fraud instances. In comparison, account registrations make up 14.8% of fraud attempts, and payments make up 6.3%.

"Those attacks can be carried out by these automated systems," Arkose Labs' vice president of strategy Vanita Pandey says of account takeover. "But then there are areas where human intervention is required." Writing reviews, opening bank accounts, or signing up for a dating app are examples.

Human-driven attacks, while more expensive, may also lead to greater gain. Unlike bot traffic, human behavior is unpredictable and highly nuanced; for this reason, payment fraud and fake account creation are more likely to be done by people. Arkose Labs found nearly one-third of account registration attacks are from malicious humans; both individuals and organized fraud.

Most human-driven attacks are seen in retail, finance, and technology, where person-to-person interaction is typically required; for example, 53% of account registration attacks against tech companies are done by people. This type of activity also varies by time of day: while the digital economy means fraudsters can strike at any time, most human-driven attacks aim to align with the targeted time zone's business hours so as to appear legitimate. This is why human-driven attacks are more popular in the retail industry than any other, researchers report.

Fraudsters target both mobile and desktop traffic, which make up 30.9% and 69.1% of fraudulent traffic, respectively. This also varies by industry. Mobile is hot in social media and retail; in the gaming space, much of fraud traffic comes from consoles. Finance and tech traffic primarily comes from desktop machines, likely due to their larger screen size.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Culture Eats Policy for Breakfast': Rethinking Security Awareness Training."

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9016
PUBLISHED: 2020-02-16
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
CVE-2020-9013
PUBLISHED: 2020-02-16
Arvato Skillpipe 3.0 allows attackers to bypass intended print restrictions by deleting <div id="watermark"> from the HTML source code.
CVE-2020-9007
PUBLISHED: 2020-02-16
Codoforum 4.8.8 allows self-XSS via the title of a new topic.
CVE-2020-9012
PUBLISHED: 2020-02-16
A cross-site scripting (XSS) vulnerability in the Import People functionality in Gluu Identity Configuration 4.0 allows remote attackers to inject arbitrary web script or HTML via the filename parameter.
CVE-2019-20456
PUBLISHED: 2020-02-16
Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, and Goverlan Client Agent before 9.20.50 have an Untrusted Search Path that leads to Command Injection and Local Privilege Escalation via DLL hijacking.