Cybercriminals are driving up fraud levels to a record high by creating substantial armies of automated cyber robots, according to research.
ThreatMetrix’s cybercrime report for the first quarter of 2016 found that 311 million bot attacks were detected and stopped over a 90-day period.
Although around for some time, botnet attacks have become more complex, sophisticated and harder to predict than ever before.
In many cases, they are mirroring the activity of normal consumers transacting online – be that banking or online shopping.
Alongside the loud and fast hacks reported in the news, the study also highlighted ‘low and slow attacks’ that are designed to evade any protection measures in place, and appear more like normal user traffic.
This is making it increasingly difficult for businesses to distinguish between real customers and cybercriminals, and leading to millions, if not billions, of pounds of lost business in the UK.
The UK, alongside Germany and the US, remains one of the most attacked nations in the world. The UK saw approximately 35 million bot attacks in the same time period – three times as many as the same quarter in 2015.
How are these bot armies created?
When fraudsters get a new list of user credentials from the dark web, they launch a series of massive credential testing sessions that cause huge transaction spikes over a couple of days.
Once a successful hit is made, those curated lists of known password and login combinations are taken to other sites to launch slower velocity attacks, which are harder to detect.
A staggering 264 million attacks were detected specifically across e-commerce merchants in this last quarter alone, putting online shoppers and retailers hugely at risk of a serious breach.
Vanita Pandey, VP of strategy and product marketing at ThreatMetrix, said these attacks are particularly hard to detect because they aren’t always picked up by traditional rate control measures.
“Our normal lines of defence just aren’t working,” Pandey said. “Fraudsters can create pitch-perfect attacks because they know so much about us.
“Businesses must become smarter at detecting the full spectrum of possible attacks, from huge automated identity testing sessions, to advanced social engineering attacks that hijack individual accounts.”
New forms of identity
In addition to botnets testing the validity of stolen identities, there are a growing number of ways to test credentials obtained through the dark web. Online businesses are inadvertently providing a perfect way for fraudsters to anonymously test stolen payment credentials, such as credit cards, before making a big ticket purchase.
Industries with low digital sophistication are easy targets. ThreatMetrix detected a series of £5 payments made with stolen credit cards targeting the charity sector.
Identity spoofing was also a strong attack vector in the FinTech space with fraudsters using cloaking technologies such as proxies or spoofed locations to mask their true identities and locations. This has given rise to an increase in fraudulent new loan applications.