Bot attacks on the rise, but so are defenses

Register now

The mounting cyberattack numbers plaguing e-commerce in the past year would discourage even the most seasoned technologists, let alone everyday merchants and consumers who suffer when any of those attacks is successful.

More than 700 million global cyberattacks and 1.7 billion bot attacks took place in 2017, according to a cybercrime report from the fraud prevention provider ThreatMetrix. Those numbers represent a 44% increase in the attack rate since 2016, and ThreatMetrix says the bot attacks turned up to the tune of 90% of daily traffic for some retailers.

"While there are some big numbers in this report, what I see is very consistent with the conversations I’m having with financial institutions and merchants," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.

"Bots are the new black," Conroy added.

ThreatMetrix also says it detected and stopped 251 million attacks in real time during the fourth quarter of 2017 alone, a 113% increase over the previous year. It is, however, a case of stopping more threats because there are more overall.

"We were able to catch much of this, but it is just relentless," said Vanita Pandey, vice president of product marketing at San Jose, Calif.-based ThreatMetrix.

The network saw 840 million bot attacks in the fourth quarter alone, a number that matches the entire attack volume for all of 2016, while also finding that more than 1 in 10 new account creations are fraudulent. Through all of 2017, 130 million attacks occurred against the financial services industry through the use of fake credentials.

All of it is further evidence that the recent data breaches affecting personal information and payment card credentials are reaping a major harvest for criminals.

"The intensive automation of cybercrime in conjunction with the widespread compromise of personal identifiable information and credentials are leading to rising account takeover and new account fraud for FIs and merchants alike," Conroy said.

Aite found that the tipping point has been reached where the industry will move away from reliance on static personal information and passwords to digital identity elements and complex authenticators such as biometrics, Conroy said.

As if the rising numbers aren't enough, those bot attacks continue to evolve, with the charity sector being hit hard with high volumes of $1 to $5 donations as fraudsters test the validity of stolen credit cards before going on to make higher-value purchases elsewhere, the ThreatMetrix report said.

It's all in a year's work for cybercriminals, Pandey said.

"Throughout the year, we are seeing a lot of account testing taking place," she said. "It's almost like Santa's Workshop, where they spend the whole year building toys. These criminals wait the whole year to launch an attack, otherwise spending that time testing accounts."

The security network reported that some South American and Asian countries were turning up for the first time as the origination points for attacks. Vietnam, in particular, was a source for more than 60% of all attacks against U.S. retailers on certain days in the last quarter of the year.

"It's not like Vietnam is going to be the grand center of cybercrime," Pandey said. "It's more about who has the data at a certain time and who has the tools to orchestrate the attacks."

Criminals are not wasting as much time trying to sell stolen payment credentials in bulk, but rather spending the time to test the credentials and assure the buyer that they "work" in terms of making fraudulent purchases.

"They are saying don't buy these credentials in bulk for pennies on the dollar because you have to go through them all," Pandey said. "Now they are saying, we have tested these, so just buy these for more."

It has created a different level of the criminal network.

"A lot of these gangs don't attack," Pandey said. "They are the drug dealers of the stolen-data world and they just test the credentials and then sell them."

For reprint and licensing requests for this article, click here.
Personally identifiable information Card fraud Retailers