With the holiday season in full swing, researchers urge retailers to double down on their cybersecurity.
As more people went online to do their shopping during the Covid pandemic, so the rates of fraud mushroomed. Indeed, in the UK alone, data suggests that the number of online fraud attacks grew from around 30,000 in the first half of 2019 to over 40,000 in the first half of 2020.
Analysis from the digital trust and safety firm Sift reveals that the latest generation of online fraudsters is using ever more sophisticated credential stuffing attacks to take control of the customer accounts at a number of e-commerce retailers.
The findings were based on an analysis of the company’s aggregate platform data, which was combined with a 1,000-respondent survey of consumers. The research was triggered by a surge in cyberattacks that focused on account takeovers in the past 12 months.
The Digital Trust and Safety Index examines the various ways in which fraudsters attempt account takeover attacks, with the researchers uncovering a sophisticated fraud ring that aims to overwhelm online merchants by deploying new and innovative credential stuffing attacks.
"Cybercriminals know that the methods they’ve used to steal from businesses and consumers in the past will only work for so long — so they change their tactics," the report says. "Meanwhile, Trust and Safety and fraud management teams chase after these evolving threats by adopting new methodologies and technologies, resulting in a cat-and-mouse game in which businesses must constantly protect themselves against the newest fraud vector."
The attacks initiated by the Proxy Phantom fraud ring took advantage of a huge cluster of rotating and connected IP addresses to conduct an automated wave of credential stuffing attacks aimed at giving the criminals control of thousands of customer accounts on a range of e-commerce websites.
In total, the group used over 1.5 million stolen username and password combinations to flood retailers with a barrage of automated, bot-based login attempts.
The report explains that they were using as many as 2,691 login attempts per second at the peak of the attack.
A constant battle
The report highlights the constant fight between cybercriminals and cybersecurity teams, with the criminals willing and able to adopt an increasing array of novel techniques in a bid to bypass and overwhelm fraud prevention systems. This could involve, for instance, making seemingly suspicious login attempts look legitimate, or even making legitimate attempts look suspicious.
"Trust and Safety professionals and frontline fraud fighters are in a constant battle of wits against fraudsters, with both sides working tirelessly to evolve their tactics and methods," the report says. "Our findings reveal a troubling trend: cybercriminals are exploiting newly emerging technologies and changing behaviors to subvert effective fraud prevention and throw fraud professionals off their scent."
The battle is compounded by the often poor security habits displayed by consumers.
For instance, the reuse of common and easy-to-break passwords makes the job of cybercriminals so much easier than a more robust password regime would do. The researchers argue that retailers need to do more to bolster their defenses and operate a robust digital trust and safety strategy to prevent fraudsters from feasting on their customer base.
Sift reveals a rise in account takeover (ATO) attacks of an incredible 307% between April 2019 and June 2021. Indeed, ATO attacks represented nearly 40% of all fraud attacks blocked via the Sift network during the second quarter of 2021.
A mercurial adversary
Little is known about the Proxy Phantom gang, not least because they make heavy use of VPNs to make their location difficult to identify. The researchers explain that while credential stuffing is not a new method of attack by any means, modern hackers are using automation to allow them to cycle through a huge volume of IP addresses alongside a huge array of compromised logins when attacking a target.
While Proxy Phantom isn’t the first group to deploy this approach, they are perhaps the biggest identified to date.
The researchers believe it's an approach that is gaining traction, not least because of the difficulty in stopping it.
While the focus of the report was on the retail sector, the researchers also explain that financial services were also seeing a huge surge in ATO attacks, with a growth of 850% seen between the second quarter of 2020 and the same period in 2021. These attacks focused their attention on digital wallets and crypto exchanges, where criminals would attempt to either make illicit purchases or liquidate accounts.
The importance of preventing ATO attacks was underlined by the finding that around half of victims suffered from repeat attacks, with attacks often resulting in abandonment of the brand.
Indeed, nearly 75% of consumers said they would shop elsewhere if their account was compromised.
Retailers should assume that a reasonable proportion of their customers will have poor password hygiene, and do all they can to try and improve matters and prevent ATOs from happening, especially as attackers know that if they can compromise one login then it’s highly likely that they will be able to compromise other accounts for that same individual.