Criminals figured out in 2018 how to really frustrate retailers. They automated their bots to create high-volume attacks against online merchants, finds the ThreatMetrix Cybercrime Report: H2 2018.
Released Tuesday by ThreatMetrix, an anti-fraud company purchased by LexisNexis Risk Solutions last year, the report finds there were 5.5 billion bot attacks against e-commerce retailers in 2018, compared with 1.8 billion in 2017.
“We’ve seen a slight drop in human-initiated attacks, but really strong growth in bot attacks,” Rebekah Moody, director of fraud and identity at LexisNexis Risk Solutions, tells Digital Transactions News.
Bot attacks were fairly uniform from the first half to the second half of 2018, she says. “Criminals are buying credentials en masse and using that to launch high velocity, fast-paced, automated attacks to breach good customer accounts for making fraudulent orders or stealing further credentials,” Moody says.
This is happening for several reasons, one of which is the ability to exploit the vast bits of breached personal information. “It’s also partly because of the phenomenon of crime-as-a-service, which makes an attack easier because the tools are being sold almost as a package,” Moody says.
Another factor is technology itself, says Michael Yeardley, senior director of fraud and identity at the company. “Technology broke down some of the barriers that previously existed,” Yeardley says. “Technology is providing the scale. The scalability over time is reaching a critical point.”
Criminals did not spare other business categories. Among financial-service providers, 5.4% of the attacks were on payments, followed by 2.9% for new-account creations, and 0.8% for account logins. The big trend, however, is the use of mobile as an attack vector, especially for account takeovers.
“This is driven by banks moving to full-service banking apps, which customers are adopting in droves,” Moody says. The account-takeover attack rate for mobile increased 211% from 2017 to 2018. One reason for this growth is that fraudsters are able to hide in the high-volume traffic, she says. “And there are more mobile credentials in general.”
Another issue is mobile tethering. ThreatMetrix says tethering a device to the Internet via a mobile hot spot often indicates fraud. “Desktop transactions that are carried out with a mobile tether are 2.4 times more likely to be fraud than a transaction with a device connected via WiFi [or] fixed-line broadband,” the report says. This enables criminals to station themselves inside, like at a bank, where they can cash out their misdeeds immediately, Moody says.
Other highlights from the second half of 2018 include 17 billion total processed transactions through the ThreatMetrix network. Sixty-one percent of them came from mobile devices.