As mobile payment applications increasingly integrate with social media platforms, fraudsters are using a mix of bots and human labor to increase their chances of a successful account takeover.
More than half of logins, at 53%, on social media sites are fraudulent and 25% of all new account applications on social media are fake, according to fraud research from Arkose Labs. Those logins are often fraudsters testing stolen credentials or taking over an account.
Even though automated bots, at more than 75%, trigger most of the attacks on social media platforms, many continue to be driven by humans if a bot is detected or stumbles in the process of finding security gaps or scraping data.
Payments are targeted for a high percentage of attacks because fraudsters test stolen card credentials by signing up for free accounts of various types and using those to assure they aren't quickly detected when initiating fraudulent transactions, said Vanita Pandey, vice president of marketing at San Francisco-based Arkose Labs.
In addition, "denial of inventory" attacks go beyond payments in that the fraudster will go to a website selling concert tickets and attach a bot to it.
"It takes three minutes for a bot to sell out a concert by buying tickets, and then the fraudsters will resell those tickets on the marketplace to scalp for a profit," Pandey said.
Arkose Labs' fraud prevention platform analyzed more than 1.2 billion transactions between April and June of 2019, spanning account registrations, logins, and payments from financial services, e-commerce, travel, social media, gaming and entertainment industries. The analysis took place in real time, and researchers found that one in 10 transactions were attacks, ranging from automated bots to malicious humans.
The login abuse aspect "underscores the fact that the vast majority of consumers use the same username and password across most of their online accounts, and so one database breach then results in these automated credential stuffing attacks," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"Credential stuffing comes up in almost every conversation I have with fraud execs at banks and merchants these days," Conroy said. "It's a big problem, especially when you have automated bots mixed with human farms, so detection is particularly difficult."
The Philippines emerged as the top attack originator for both automated and human-driven attacks, with the U.S. a distant second. Just more than 88% of attacks from the Philippines are automated, with 11.7% being human driven. Nearly 60% of attacks from China are human driven, which is more than four times higher than the U.S., Russia, the Philippines and Indonesia.
Technology companies are heavily targeted by human-driven fraud, as they account for 43% of all of those attacks. Account registrations for tech companies are four times more likely to be attacks than legitimate logins, the research found.
Payment transactions in the travel industry remain at high risk for fraud, coinciding with the rise of online travel arrangements. Payments for travel are 10 times more likely to be attacked, especially from bots looking to block inventory. Ten percent of all login attempts on travel sites are fraud and 46% of all payment transactions are fraud.
The retail industry experiences the highest volume of human-driven attacks, at more than half of all attacks. Inauthentic human traffic is harder to detect because human behavior is unpredictable and "highly nuanced," the report stated.
"There are two sides of the detection equation, as you have to look at identity and intent," Pandey said. "You can only let a transaction through if it passes through all of the security tools, and if you are not sure, you ask for more identity."
The fraud ecosystem between automated bots and organized human sweatshops is well connected now, Pandey added.
"We will see more organized attacks, more bots trained to do more things and humans being brought in when needed," she said. "It's a mix that happens all of the time now and fraudsters are trying to create a pattern there."
