Fraudsters focusing on attacking account creation apparently like the trend of merchants storing consumer payment data to make repeat purchases easier for shoppers.
This trend has ignited a massive uptick in botnet attacks that target website logins and new account creation, according to a fourth-quarter 2015 cybercrime report from ThreatMetrix.
The number of e-commerce attacks that ThreatMetrix detected and stopped in the fourth quarter increased by 30% over the previous quarter, and increased by 80% from a year earlier.
The ThreatMetrix network detected 58 million login attacks during the quarter, a 25% increase over the previous quarter and 124% over the 2014 fourth quarter. Of those 58 million attacks, 28 million occurred during the retailers’ peak shopping days around Cyber Monday and Christmas. The spike during key shopping days resulted in a 250% increase over the previous year’s big retail days.
"The attack on logins to steal credentials is probably the most surprising trend," said Vanita Pandey, vice president of product marketing for ThreatMetrix Inc. "Years ago, consumers used to have someone else enter data for them to make a payment [at the point of sale], but now with digital wallets and mobile apps we have made everyone a data entry person."
That process means a consumer’s payment and personal data sits on someone else’s servers, which become a key access target for fraudsters, Pandey added.
San Jose-based ThreatMetrix provides payment processors and other businesses that handle sensitive data with a global network that monitors and screens millions of transactions for potential fraud.
The increase in botnet attacks, or those coming from a coordinated network of computers seeking credentials or running fraudulent transactions, is a direct result of the massive amount of stolen credentials available from past breaches, Pandey said.
Overall, ThreatMetrix detected 230 million botnet attacks during the quarter, a number that includes when the fraudster is simply testing stolen credentials to determine if they are still valid before launching fraudulent transactions or attacks against other credentials. They include attacks against retailers, banks, healthcare, online lenders and social media.
"The sheer volume, of more than 200 million attacks detected, shows that big retailers are seeing 3 million to 4 million attacks on a daily basis," Pandey added. "For financial institutions, the botnet attacks were 10 times higher in the fourth quarter than the previous quarter."
Because returning users are the biggest drivers of digital transactions, it is becoming increasingly critical for retailers, financial institutions and businesses to be able to recognize those customers through behavior analytics, while ensuring they are not wrongly rejected in the fight against fraudsters, the report stated.
Even though the attack percentage has risen and botnet attack numbers are "hard to wrap your mind around," there is a silver lining, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"We are seeing a lot of technology out there to fight this, but the report does really highlight the fact that these merchants and banks can never stand still," Conroy said.
Other fraud research has supported what ThreatMetrix observed, Conroy added. "We have seen reports saying that for every two human visits to a website, there is one malicious bot visit, and that's just huge."
Fraud prevention companies know they are in a long, complex fight now to protect payment and individual credentials, Conroy said.
"When seeing some metrics behind these bot attacks, it just means there is a lot of server capacity connected to support all of these malicious attacks," she added. "But the folks who are talking about this stuff are the ones who continue to innovate so they can stay ahead of it."
One merchant informed Aite Group that, in the past, one in every 30 transactions was fraud, but around the middle of last year that number jumped to one in 10, Conroy said.
And fraudsters are keeping their return on investment at a high level, according to the report. The "basket" for an online fraudulent transaction was generally 70% larger in value than an average transaction, the report stated.
Fraud tactics have become increasingly complex, making it challenging for e-commerce merchants to fight back with only one or two tools in their arsenal.
"More merchants are realizing it's not just black and white anymore, there is much gray area in fraud," Pandey said. "They want to make knowing the difference between good and bad customers very consistent, and the biggest asset is shared intelligence."
All of the data signals an end to traditional authentication methods, Pandey added.
In the past, fraud was "transactional," much like a pickpocket stealing a wallet and disappearing into the crowd, she said. Now, fraud rings "work in a parallel universe" opening fake accounts and e-mail addresses to attack e-commerce sites on an ongoing basis.