By Pattie Dillon, Olivia Fryt, Julia Kisielius and Heather Smith, SpyCloud
Covid-19 may be giving some criminals an excuse to play dirty, but fraud is a never-ending game. This year, losses for e-commerce companies are expected to top $12 billion. Learn about the latest schemes and why account takeover tops the list of e-commerce attack techniques.
If you are feeling like you’ve just been forcibly inserted into one of those pandemic movies, you’re not alone. Each new scene unfolds with an increase of the world's confirmed coronavirus cases, deaths and recovery counts; a daily reminder that this isn't a movie but our grim reality. The surreal feeling of the unknown drives many of us to continually check online for updates in our own community as well as throughout the world.
These are uncertain times, but the one constant we can count on is criminals taking advantage of situations engineered to appeal to our curiosity and fears with the intent to exploit.
The emerging scams we have an eye on include those that are designed to distribute malware that collects personal data, and fraud schemes with a heavy cost to businesses and individuals. Some examples:
1. Phishing attempts that closely resemble authentic organizations, with messages containing links leading to fraudulent look-a-like websites. The goal of the cybercriminal is to trick the victim into clicking a link that downloads malware, or entering a myriad of unique identifiers, i.e. usernames, passwords and potentially other sensitive Personally Identifiable Information (PII).
A fake Public Health Agency of Canada website directing users to download a banking trojan malware called Ursnif, which steals data.
One security researcher has compiled a feed tracking new Covid-19-related domains popping up so the community can determine which ones are malicious. Users need to remain vigilant about the links they click when seeking coronavirus information online.
Some of the coronavirus-related domains that have been registered recently.
2. Food delivery service schemes. Below is a screenshot explaining how criminals are cracking meal-kit delivery accounts in an attempt to get free food delivered to their doorstep. Not only is this reprehensible now when access to food has become more difficult due to nationwide quarantines and self-isolation, but it also reflects a growing trend. What this criminal is advocating is account takeover, the top e-commerce attack technique according to a report by Signal Sciences.
A criminal forum post with instructions for taking over meal-kit delivery accounts.
In another case, criminals have resorted to a DDoS attack against a food delivery service in Germany, holding them hostage until an ~$11,000 ransom is paid.
…and many more that are compiled in this Covid-19 PSA article from SpyCloud.
How Cybercriminals Put Stolen Credentials to Work
With or without Covid-19 as a backdrop, cybercriminals are constantly inventing new ways to compromise unsuspecting users, collect their data and set themselves up to perpetrate fraud. But once they have stolen credentials in-hand, the methods they employ are getting more complex and harder to thwart.
While credential stuffing gets a lot of coverage, what’s less understood are the attacks that happened way before these automated attacks. Targeted account takeover attacks occur early in the breach timeline, after data is first acquired. Criminals analyze their list of stolen credentials to determine where to put the most effort — focusing on the highest-value targets (wealthy or high-profile individuals). Then they go about sidestepping multi-factor authentication through a variety of tactics that may include phishing, social engineering, or SIM-swapping.
Thwarting strategically targeted attacks with newly compromised credentials is a marathon, not a sprint. Bad actors will gather more personal information from accounts they access to maximize the impact of their criminal actions.
A bad actor logging into a credit card account, for example, will rotate IP addresses and use proxies masking their location. Once logged into the account, the first steps will be to modify the alert settings, and scroll through charges to observe spending habits and frequented vendors. They may also add users, and when possible, lock the victim out of their own account(s). Often, to bury the account modifications and order confirmations, email spam attacks will flood the victim’s inbox to cover up the activity.
The initial attacks will focus on login attempts using the same or similar stolen username and passwords to transact with the victim’s known vendors, placing fraudulent orders, siphoning loyalty points and making fund transfers from financial institutions.
Next steps may include the creation of synthetic identities using fragments of compiled personal identifiable information (PII) to set the stage for first party fraud. PII will be used to establish new credit lines that build the synthetic identity’s credit ratings and enable new online accounts for more fraudulent transactions. If this all sounds incredibly labor-intensive, it is! It takes a long time – often up to two years. Targeted attacks are perpetrated by sophisticated criminals who are willing to put the effort in since the rewards are so great. Of course, the damage to the individual is massive and can take years on their part to undo.
Once attackers have monetized the data via the above methods, the next phase is commoditization. They move on to automated credential stuffing campaigns, where bots deploy thousands of credential pairs against a slew of websites to gain access to other accounts. The cybercriminal’s objective at this point is to squeeze as much profit from old credentials as possible.
Whether the attacks are targeted or automated, what we’re describing is account takeover (ATO) – the most common attack technique on e-commerce sites (accounting for nearly 30 percent of attacks), according to that report by Signal Sciences.
Other attack types to solve for include code injections (think Magecart), cross-site scripting which enables bad actors to take over shopping carts and have the goods shipped elsewhere, and backdoor access where malware is installed that creates a persistent vulnerability and essentially grants the hacker wide-ranging systems access to execute all manner of malicious activities.
Now is the time to ensure you have strong anti-fraud measures in place to protect your users and organization from financial and reputational losses. There is no single tool to effectively perform all aspects of fraud prevention. Your anti-fraud toolset must include solutions to easily pivot, changing direction as new fraud trends emerge. It is paramount to monitor user accounts in real-time and for historical fraud analysis to separate high and low risk trends to be applied for future fraud mitigation.
SpyCloud provides a service enhancing anti-fraud risk intelligence, but also works side-by-side with industries to share knowledge and promote positive change to avoid fraud losses driven by high-level and low-level threat actors. We welcome inquiries from industries in need of knowledge, expertise, and service.