Fraudsters increasingly using automation for sophisticated attacks

Kevin Gosschalk brings a unique perspective to his work at Arkose Labs, and it is helping the company develop a strong reputation in the fraud and abuse prevention industry.

Gosschalk, Arkose Labs CEO, previously worked in video game design, computer science, and social media before building tools that provide early detection for diabetes and assist people with intellectual disabilities through concepts such as gamification.

He said those experiences gave him unique perspectives on functionality and the user experience.

Kevin Gosschalk

The idea is to protect consumer accounts from fraud so well that the company is backed by PayPal and used by the paytech firm for its protection.

Arkose Labs recently released its newest security report, which, among other things, predicted a 60% increase in attacks over the holiday shopping season.

The travel sector is seeing more fraud as people leave their homes and financial industries saw a 32% surge in fraudulent activity in the first half of 2021.

One clear trend is the increased use of automation tools in the commission or more extensive and more sophisticated fraud campaigns, Gosschalk said.

That is reflected in supply chain fraud growth and micro-deposits fraud at financial institutions and fintechs.

Attacks at scale

“They’re doing these kinds of things at scale, and that is something we continue to see on the rise across our network,” Gosschalk said. “It’s a huge amount of attacks like that. There are, of course, human attacks but nowhere near at the sheer volume and scale.”

Black Friday has almost become Black November, where companies can generate up to 40% of their annual revenue. E-commerce companies then attempt to spread the activity over a more extended period and take some of the strain off their systems.

That is why shoppers see deals earlier than before.

That activity brings challenges as many vendors, for fear of losing business to competitors, may lower security processes to maintain a seamless checkout experience, Gosschalk said. Criminals know this too, as it is easier to hide amongst more traffic.

“If you’re going to get in, you’ve got a higher chance on that day than on any other,” Gosschalk said.

How much effort scammers make can depend on the vertical they are attacking, Gosschalk added.

Given the amount of money at play, financial institutions invite sophisticated attacks such as one-time password interception techniques to get users’ PINs and avoid multi-factor authentication processes. SIM swaps target phone numbers.

“They’ll go to that level of sophistication because it’s worth it to them,” Gosschalk said. “The return on investment is worth it.”

‘Spray and pray’

Contrast that with techniques targeting much less lucrative video game accounts, Gosschalk said. They often use credential stuffing which is automated and easily scalable and is described as “spray and pray.”

COVID-19 saw a massive migration into digital payments, and most of the new entrants were prime targets for criminals, Gosschalk said.

These were people with good incomes but who had not traditionally spent money online, such as seniors needing to buy groceries digitally for the first time.

The higher unemployment rate drove some to conduct easy scams, such as getting government handouts. Techniques were readily available online.

“YouTube will teach you everything you need to know about referral fraud, chargeback scams, credential stuffing — it’s all there,” Gosschalk said.

He added that sharing successful techniques online provides criminals with caché they hope to attract partners that can help them conduct more significant schemes in the future.

While not explicitly working against ransomware, Arkose Labs also saw several campaigns target COVID-19 testing labs, Gosschalk said.

Close to 90% of fraud is conducted from desktop computers, Gosschalk said. It’s a consistent trend because it’s the easiest path for a fraudster wishing to look like a unique user on every new attempt.

Mobile harder to crack

Using mobile phones is impractical for several reasons.

Following desktop, Android-based systems are the next most popular method (though much harder than desktops), while iOS systems are much harder to employ.

Apple has long focused on user privacy as a core feature of its systems, much to the frustration of security firms and law enforcement agencies.

They are now making it more challenging with iCloud Private Relay, which prevents firms and agencies from gleaning valuable information which helps protect legitimate users. Now with iCloud Private Relay, those entities lose that signal.

“It makes it harder for us to identify bad actors and also good users and treat them in a better way,” Gosschalk said.

The declining use of cookies is another good news/bad news situation, Gosschalk explained. They are often used for nefarious tracking purposes and help identify legitimate regular users.

Gosschalk said he could see a future where those device fingerprinting techniques are lost because manufacturers restrict security providers’ access.

The report confirms China as the most popular country for attacks to originate from, Gosschalk said.

What initially looks surprising is the United States is the second most popular country, but there’s a catch.

USA IPs masked

He explained that the USA is the site of many devices where attacks come from, but not where they originate. Tools such as free VPNs and apps generate revenue from selling user information to third parties who use the home devices as hosts from which they launch attacks.

“We see a lot of that,” Gosschalk said. “There’s a lot of people unwillingly participating in these attacks.”

Actors in popular countries for fraud, such as Russia, are motivated to mask their efforts, so security personnel does not focus on specific regions as much, Gosschalk explained.

That takes work, and each step security teams can take to make it harder for scammers serves a purpose.

“It’s all part of the game,” Gosschalk noted. “You have to increase their costs to the point where it’s not worth it anymore. That’s what we’re aiming for here.”

How do companies like Arkose Labs stay ahead of the next big fraud trend? They conduct research and participate in and monitor discussion forums to debate such activities.

They also hold bug bounties and work with converted hackers, including a pioneer from an early dark web community.

Monitoring financial systems to identify abnormal spending patterns from suspected criminals is another tool.

“From a technology standpoint, the more advanced attackers that are making the most money are really good at masking who they are,” Gosschalk said. “If you’re really good in this space, you shouldn’t get caught.”

  • Tony Zerucha is a long-time contributor in the fintech and alt-fi spaces. A two-time LendIt Journalist of the Year nominee and winner in 2018, Tony has written more than 2,000 original articles on the blockchain, peer-to-peer lending, crowdfunding, and emerging technologies over the past seven years. He has hosted panels at LendIt, the CfPA Summit, and DECENT's Unchained, a blockchain exposition in Hong Kong. Email Tony here.