Voice of the Industry

Evolution of fraud attacks: How new strategies emerge, stacked on top of tried and tested methods

Thursday 3 February 2022 08:51 CET | Editor: Irina Ionescu | Voice of the industry

Aleksander Kijek, CIO at Nethone, talks about the new threats in fraud attacks and how we can face the current security challenges amid the pandemic

 

The rise of ecommerce’s share of global retail sales – from 14% in 2018 to 19% in 2020 due to the effects of COVID-19 lockdowns – has likewise led to an increase in global fraud rates. This is in part down to a new group of online shoppers not fully aware of the dangers of the internet. They are perfect targets. Fraudsters use a bag of tricks based around social engineering (an act that influences a person to take an action that may not be in their best interest) to get what they want from them.

Phishing remains a prominent scam method, where cybercriminals fool victims to divulge sensitive information. Emails are sent, garnering fear and urgency, enticing people to click on a malicious link. They are directed to what appears to be a legitimate service to make an outstanding bill payment or update details. If successful, the account falls under the control of the fraudster.

Similar techniques include vishing (eliciting information or action over the phone) and SMiShing (using SMS to do the same). By utilising sophisticated tools to spoof caller ID (but not always), a direct call or SMS appears to be sent from the victim’s own bank or another service, requiring urgent action. By influencing an individual to install a remote desktop programme (RDP, linking two networked computers) to supposedly fix a problem, a fraudster gains account access. Surprisingly, the main aim is not to steal money: the bigger prize can be scans of ID documents saved on the victim’s device, used to assume a real identity to open multiple new accounts, launder cash, and take out loans.

Two-factor authentication (2FA) is not so strong

In what for a long time has been standard for authenticating online transactions and preventing phishing, 2FA appears to provide adequate protection. It is based upon two levels of security: a password (something you know), and an authentication code often received via SMS on a phone (something you own). Unfortunately, fraudsters have upped their game so much that 2FA provides little more than a false sense of security.

Cybercriminals can defeat 2FA using the Muraena and NecroBrowser toolkit. Developed by researchers Michele Orru and Guiseppe Trotta, the aim was to highlight that anti-phishing strategies can be compromised. Previous deep technical knowledge and many tools were required to defeat 2FA – attackers needed to have their phishing sites function as proxies, forwarding requests to legitimate services and deliver responses in real time. The aim was to gain access to valid browser cookie sessions, but they had to be used quickly before expiring.

The Mureana and Necrobrowers toolkit automates the entire process, bypassing 2FA using a reverse proxy solution, capturing login credentials and valid session cookies. Necrobrowser uses the gathered cookies, instructing a set of dockerised Chrome browsers to ensure the stolen sessions remain active, allowing a fraudster to use the target account until they are discovered.

A simpler method to get around 2FA is SIM swapping. Through phishing and/or social engineering, a fraudster obtains a victim’s details, using them to contact their mobile service provider. Impersonating the victim and feigning the loss of a phone, they attempt to convince the provider to port the number to a new SIM. If successful, all incoming calls/messages (including verification codes) will be sent to the fraudster’s phone.

ATO fraud attempts in ecommerce will only increase

Cybercriminals are always trying to stay one step ahead of anti-fraud actors aiming to thwart their efforts. Fraudsters are becoming increasingly crafty, deploying a hybrid of new, tried, and tested techniques to achieve account takeovers (ATO).

To combat fraud, the European Union introduced PSD2/SCA (Payment Services Directive/Strong Customer Authentication) regulations, requiring merchants to incorporate multi-factor authentication for online transactions. This has improved anti-fraud measures, and rather than going up against advanced security, many fraudsters choose to focus attention on ATO. The methods are easier than you think, which is why ecommerce merchants need to take effective countermeasures.

Fraudsters try to beat anti-fraud by behaving like a normal customer

Once an account has been acquired, a fraudster will aim to act similarly to the original account holder to ‘warm up the shop’. This process requires time and patience.

The fraudster’s first steps are to analyse the account’s purchase history, delivery address, payment methods etc. This is followed by browsing online shops and adding similar previously purchased products to the shopping cart. Returning days later, adding more goods, making the purchase, and leaving reviews will seem natural. Some fraudsters, in a very nonchalant manner, will also contact customer services to engage in conversation to create a bond with an ecommerce merchant. Eventually, unwanted items will then be removed from the cart with only the desired items purchased. This can go on indefinitely until the fraud is discovered.

Advanced anti-fraud solutions based on exhaustive end-user session profiling and machine learning can prevent attacks

Such effective attacks highlight why merchants have begun to take their users’ behaviour seriously and that rule-based anti-fraud systems can be ineffective against evolving attacks. The answer to these problems is to deploy advanced anti-fraud solutions based on behavioural biometrics, digital fingerprinting, backed up by AI/machine learning models. This is precisely what Nethone provides. Our integrated solution effectively differentiates genuine customers from fraud actors in real time and in a non-invasive manner. Global fraud threats and techniques are evolving, but so too are the solutions.

This editorial is part of the The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.


About Aleksander Kijek

At Nethone, Aleksander bridges the gap between the tech and business teams, translates complex and technological ideas into clear gains with client needs turned into tangible product developments. Additionally, he loves to dive deep into exploring new areas and opportunities for Nethone to deliver better results for our customers. When not fighting fraud, he can be found reading with a self-brewed third-wave coffee next to him or bouldering.


About Nethone

Nethone is a machine learning-based fraud prevention SaaS company that allows online merchants and financial institutions to holistically understand their end-users — also referred to as ‘Know Your Users’ (KYU) in industry parlance. With its proprietary online user profiling and ML technologies, Nethone can detect and prevent payment fraud, account takeovers, with unrivalled effectiveness.


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: fraud management, fraud detection, online fraud, two-factor authentication, multi-factor authentication, account takeover
Categories: Fraud & Financial Crime
Companies:
Countries: World
This article is part of category

Fraud & Financial Crime