The digital world is marred by various kinds of fraud, including account takeovers, malware-initiated transactions, and exploitation of loopholes in legitimate transactions. Identity is the first line of defense against fraud, and it faces the full brunt of the assault with attempts like new account fraud, synthetic identity fraud, and account takeover fraud. F5 Labs has tracked various identity-related attacks and malware campaigns and found that the effectiveness of hacker tricks changes over time. This article takes a step back from analyzing hacker techniques and looks for answers to two key questions:
- What is fueling the growth in fraudulent transactions?
- Why, even with sophisticated security tools, do these attacks succeed?
Fraud’s Low Entry Barrier and High Payback
In the digital era, the thought of not being “connected” is unfathomable. To maintain continued online access, everyone uses credentials. Fraudsters are on the lookout for these credentials to help them circumvent security controls and commit fraud. They succeed by capitalizing on:
- The plethora of available breached credentials. The 2021 Credential Stuffing Report by F5 Labs and Shape Security exposed a profound lack of awareness about the threat of credential spills. Tracking the use of 900 million credentials spilled in Collection X across two banks, a retailer, and a food and beverage provider revealed that legitimate users continued to use 610 million of the compromised credentials. Fraudsters can easily acquire these credential sets and take over genuine accounts.
- Breached personally identifiable information (PII). Fraudsters quite frequently need to create look-alike accounts or synthetic identities or reset credentials for a genuine account. To facilitate these activities, they need access to genuine user data. Figure 1 shows how PII data for more than 300,000 customers of a hardware wallet shop was available for purchase through a dark web auction with a starting price of 2 Bitcoins.1
- Malware-infected machines. With the advancement in protection mechanisms like antiviruses, sandboxes and browser security, the use of infected machines to commit fraud seems to have slowed. A 2021 Kaspersky report shows that only 4 percent of fraudulent transactions in the financial sector were from malware-infected devices.1 However, this vector cannot be completely discounted, as malware researchers routinely find new and innovative ways of coding to avoid detection and mitigation, as shown in Figure 2.