Your Money Is Being Stolen!
Fraud-as-a-service offerings continue to evolve rapidly
Account checkers have been around for a long time, but fraud-as-a-service offerings have continued to evolve rapidly in the last couple of years due to the high volume of password breaches. Credential-stuffing tools such as Sentry MBA and SNIPR have been popular among fraudsters; however, their use is restricted by the limited availability of prebuilt configurations, mostly for large websites.
Fraud Attack Trends: Q1 2019
Phishing and malware-based attacks are the most prolific online fraud tactics developed over the past decade. Phishing attacks not only enable online financial fraud but these sneaky threats chip away at our sense of security as they get better at mimicking legitimate links, messages, accounts, individuals and sites. Automated fraud comes in the form of the various active banking Trojan horse malware families in the wild today; these malicious programmes do their work quietly and often without detection, until it is too late. By tracking and reporting the volume and regional distribution of these fraud threats, RSA hopes to contribute to the ongoing work of making
consumers and organisations more aware of the current state of cybercrime and fuelling the conversation about combating it more effectively.
Consumer Fraud Trends: Q1 2019
The RSA Fraud and Risk Intelligence team analyses consumer fraud data and informs the security and risk management decisions for major organisations while serving the public interest by identifying, preventing and reducing financial cyber fraud attacks on consumers. Observing consumer fraud trends over time can support decision-makers on how to build or refine their digital risk management strategy across customer-facing deployments. These data points are intended to broadly frame the current consumer fraud atmosphere, and identify relevant trends, by tracking broad indicators of online fraud across both financial and E- commerce focus areas.
Device Age vs Account Age
“Device Age” refers to how long the RSA Fraud Platform has “known” or “trusted” a given device (laptop, smartphone etc.). “Account Age” refers to how long the RSA Fraud Platform has “known” or “trusted” a given account (login etc.). This data demonstrates the importance of accurate device identification to minimise false positives and customer friction during a login or transaction event.
E-commerce
In Q1, RSA saw a 17 percent increase in card-not present (CNP) fraud transactions. Sixty percent of fraud transaction value originated from a new device but trusted account indicating account takeover activity continues to be a preferred and successful attack vector for cybercriminals.
Online Banking: Login
While less than 1 percent of logins were attempted from a combination of a new account and new device, this scenario accounted for 32 percent of total fraud volume observed in Q1. This is indicative of fraudsters attempting to leverage stolen identities to create mule accounts as part of the “cash- out” process.
Online Banking: Payment
Similar to fraud patterns at login, less than 1 percent of legitimate payment transactions were attempted from a new account and new device, yet it made up 48 percent of total fraud value, a slight increase from 43 percent in Q4. This is indicative of an increase in account takeover where fraudsters are attempting to use compromised financial information to initiate payments from victims’ accounts.
Account Checking Overview
RSA recently identified an online studio for developing account checkers capable of attacking nearly any website. In addition to facilitating the development of new checkers, the site has also created a new source of income for fraudsters as the revenue generated from each checker is split between the site owner and the developer. This has introduced new opportunities for fraudsters to attack organisations not traditionally targeted by account takeover.
Account checkers are automated tools used by fraudsters to test user name password combinations and check their validity. Most checkers are relatively simple; they receive a list of credentials in a pre- determined format as their input, then iterate through them to determine which ones work. The more advanced checkers can also receive a list of SOCKS5 proxies to mask their checking activity.
Most checkers use the CURL library (a popular code library for interacting with remote servers) for their login attempts and then read the response from the site to determine if the login was successful. In case of success, certain checkers may also retrieve information pertaining to the account, such as the credit card associated with it, billing address, and the orders list.
For years, account checkers were relatively rare
as fraudsters focused on exploiting compromised credit cards. The number of credit card checkers, which similarly to account checkers test if a credit card is valid, outgrew the number of account checkers. The few account checkers that were available focused on very large online services such as eBay and PayPal, which were at the time highly targeted by phishing and other attack methods. However, in recent years RSA has observed a shift in the underground where more fraudsters are focusing on account takeover. This change can be attributed to several factors.
First, advanced security methods deployed by financial institutions has created huge barriers for committing fraud driving less sophisticated criminals to other attack vectors. If in the past a fraudster committed e- commerce fraud by using a compromised credit card and the “guest checkout” option, today many use account takeover of existing customer accounts in order to reduce the risk of being flagged for fraud. Also, many of the accounts are used as infrastructure for further defrauding individuals and organisations. For example, compromised accounts for dating sites are used for romance scams, while compromised accounts of registrars and hosting companies are used to set up phishing websites. Another manifestation of this shift towards account takeover is the growing popularity of account stores. Similar to credit card stores, they are fully automated websites that enable fraudsters to purchase compromised accounts.
Account Checker Studio
Traditional account checking websites offer a list of checkers for hundreds of different websites. While this often includes the largest and most popular websites, their use is restricted by the limited availability of pre-built configurations. RSA has recently discovered an account checker site that also includes an account studio that enables fraudsters to develop their own checkers for websites that do not already appear in the pool of checkers available. The site splits the income from the checker with its developer, providing an incentive for fraudsters to use the studio and increase the pool’s selection.
The studio provides a user interface for designing a new checker, enabling the user to define the different steps for checking an account. Each step consists of POST and GET page requests that are sent by the browser while communicating with the website. The user can also set up specific headers that are sent with each step in case the website the credentials are being checked against requires them for login. In addition, the studio allows its users to request custom checkers to be developed, and even grants them credits if their requests are fulfilled.
Once the different steps are defined, the checker is ready to be used; it will return TRUE on a valid account and FALSE on an invalid account. The developers have a designated dashboard on the website through which they can track the performance of their checkers. For example, they can see how many users were exposed to their checker, how many checks were actually performed and how much money they’ve earned from those account checks.
While other account checking sites are limited by the amount of work their operators put in, this new studio opens up the creation of account checkers to the broader fraud community. As a result, the number and diversity of websites that have dedicated checkers available in the dark web has grown exponentially. With over 500 checkers in its pool of websites to choose from currently, RSA expects this number will grow even more as the site gains more popularity. As such, organisations, regardless of size or industry, should expect a growth in automated credential stuffing and account takeover attacks.
It can be difficult to spot automated attacks because legacy tools are not designed or architected to look for them. Account checkers are based on scripts that follow a specific set of page requests, and they generate patterns that may be identified when analysing activity logs. These patterns can help block subsequent login attempts conducted by the same checker. In addition, since many checkers use proxy servers, these patterns should not be based solely on IP addresses, but rather on specific headers or unique characteristics that may occur during the login process.
The adoption of technologies that leverage behaviour analytics can assure authenticated users and anonymous guests are interacting with applications in expected ways. Behaviour analytics can identify unusual patterns of behaviour across both web and mobile applications – for example, the way a user navigates a site or robotic activity such as thousands of login attempts within only a few minutes. The old username/ password combination is simply no longer sufficient as a form of consumer authentication. The use of multifactor, adaptive authentication and transaction risk analysis to watch for signs of fraud based on device, user behaviour and other indicators is another critical layer to prevent the onslaught of account takeover in the event of a successful login attempt.