RSA QUARTERLY

FRAUD REPORT
Volume 1, Issue 1
Q1 2018
CONTENTS
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Fraud Attack Trends: Q1 2018 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Fraud Attack Type Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Top Phishing Target and Hosting Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Consumer Fraud Trends: Q1 2018 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Transaction and Fraud Transaction Distribution by Channel . . . . . . . . . . . . . . . 8

Average Credit Card Transaction and Fraud Transaction Values . . . . . . . . . . . . . 9

Device Age vs. Account Age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Compromised Credit Cards Discovered/Recovered by RSA . . . . . . . . . . . . . . 11

Feature Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

#Fraud: The Dark Web Goes Social . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Reddit Bans Fraud Subreddits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

RSA QUARTERLY FRAUD REPORT Q1 2018 | 2

EXECUTIVE SUMMARY
The RSA® Quarterly Fraud Report contains fraud attack and consumer fraud
data and analysis from the RSA® Fraud and Risk Intelligence team. It represents
a snapshot of the cyber fraud environment, providing actionable intelligence to
consumer-facing organizations of all sizes and types to enable more effective
digital risk management.
RSA-OBSERVED FRAUD ATTACK AND CONSUMER TRENDS
For the period starting January 1, 2018, and ending March 31, 2018, RSA
observed several global fraud trends across attack vectors and digital channels.
The highlights include:
Phishing accounted for 48 percent of all cyber attacks observed
by RSA in Q1. Canada, the United States, India and Brazil were the
countries most targeted by phishing.
Financial Trojan horse malware accounted for one out of every four
fraud attacks observed by RSA in Q1.
Consumer transactions and fraud continue to grow in the mobile
channel. In the first quarter, 55 percent of transactions originated in
the mobile channel and 65 percent of fraud transactions used a mobile
application or browser.
FEATURE ARTICLES
#Fraud: The Dark Web Goes Social
Over the last decade, social media platforms have
grown to become an integral part of not just our
daily private lives, but also our public lives. But for
credit card fraudsters, or carders, social media
provides the scalability, anonymity and reach
necessary to promote their virtual storefronts.
Reddit Bans Fraud Subreddits
This quarter’s second feature article discusses
how Reddit, the well-known social news and
media aggregation site, recently banned
numerous fraud subreddits. Reddit is one of the
many social media platforms that fraudsters
leverage for communication and is mainly used to
exchange contacts, advertise their services and
exchange fraud information from Dark Web fraud
forums.

More than 80 percent of observed fraudulent e-commerce

transactions originated from devices that were “new,” meaning
unknown to RSA’s Risk Engine at the time of observation.

RSA QUARTERLY FRAUD REPORT Q1 2018 | 3

FRAUD ATTACK TRENDS: Q1 2018
Phishing and malware-based attacks are the most prolific online fraud tactics
developed over the past decade. Phishing attacks not only enable online
financial fraud but these sneaky threats chip away at our sense of security as
they get better at mimicking legitimate links, messages, accounts, individuals
and sites. Automated fraud comes in the form of the various active banking
Trojan horse malware families in the wild today. These malicious programs do
their work quietly and often without detection until it is too late.

By tracking and reporting the volume and regional distribution of these fraud
threats, RSA hopes to contribute to the ongoing work of making consumers
and organizations more aware of the current state of cybercrime and fueling
the conversation about combating it more effectively.

RSA QUARTERLY FRAUD REPORT Q1 2018 | 4

Fraud Attack Trends: Q1 2018 FRAUD ATTACK GLOSSARY
Total Attacks Detected Phishing
Cyber attacks attempting to steal
Q1 2017 26,894 personal information from unwitting
end-users under false pretenses either
Q2 2017 17,492 by email, phone call (vishing) or SMS
text (smishing).
Q3 2017 26,740
Trojan Horse
Q4 2017 29,347 Stealthy malware installed under false
pretenses, attempting to steal personal
Q1 2018 24,581
user information.

Brand Abuse
Fraud Attack Type Distribution Online content, such as social media, that
6% misuses an organization’s brand with the
The distribution of major fraud tactics and attacks Mobile Apps
purpose of misleading users.
can help organizations understand the current
trends being employed. As each type of fraud attack
21% Mobile Application Fraud
requires differing levels of resourcing and technical Brand Abuse
48%
Mobile applications using an
competence, this statistic, tracked over time, can
Phishing organization’s brand without permission.
provide a glimpse into the change in preferred attack
vectors in order to help organizations respond more
effectively.
25%
In the first quarter of 2018, phishing attacks made Trojan

up nearly half of all observed cyber attacks. Phishing, IN Q1 2018,

while among the oldest types of online fraud attacks, RSA detected over

is still the most widely used tactic. This may be due to
its low technical barriers to entry, combined with the low
resource requirement for simple, low-tech attack vectors
such as email. Still, Trojan horses accounted for one out of
every four observed fraud attacks in Q1, potentially due
to the increasing availability of malware-as-a-service kits
and services available in the cyber underground.
8,000
In Q1 2018, RSA detected over 8,000 rogue mobile
applications, representing 6 percent of observed attacks
last quarter. The proliferation of fraud in the mobile
channel is further demonstrated below (see Transaction ROGUE MOBILE
and Fraud Transaction Distribution by Channel). APPLICATIONS

RSA QUARTERLY FRAUD REPORT Q1 2018 | 5

Fraud Attack Trends: Q1 2018
Top Phishing Target and Hosting Countries

TARGET COUNTRIES HOSTING COUNTRIES

1. Canada 1. United States

2. United States 2. Russia

3. India 3. India

4. Brazil 4. Australia

5. Netherlands 5. Canada

6. Colombia 6. France

7. Spain 7. Luxembourg

8. Mexico 8. Germany

9. Germany 9. China

10. South Africa 10. Italy

PHISHING TARGETS PHISHING HOSTS

The top targets for internet scams reflect some of the most economically and
technologically advanced nations in the world, across varying levels of technology
adoption and engagement, and positioned across a range of geopolitical status
and relationships. The list, essentially, shows where fraud actors are establishing
and maintaining their priorities, and likely where they are experiencing the most
success, for any number of reasons. Shifts to this list over time may suggest some
significant change, intended or otherwise, to the state of success that phishing
actors are experiencing in the given geography.
The geographic areas observed to host ISPs related to phishing attacks include
many of the same nations as reflected in the target nation list, with a few notable
exceptions. For instance, the Russian Federation appears much more prominently
in the “phishing host” list than in the victim list, as does China. This list does not
necessarily reflect a national fraud motive or explicit support for phishing, but can
show some bias toward nations where cybersecurity may still not yet be sufficiently
ingrained in critical institutions and legal frameworks.

RSA QUARTERLY FRAUD REPORT Q1 2018 | 6

CONSUMER FRAUD TRENDS: Q1 2018
Quantifying cyber fraud is no simple task. Even with a deep
data set, few organizations have the necessary depth of
insight into the anti-fraud landscape to understand the nuance
involved in tracking people and tactics that are specifically
trying to remain hidden. The RSA Fraud and Risk Intelligence
team analyzes consumer fraud data and informs the security
and risk-management decisions for major organizations while
serving the public interest by identifying, preventing and
reducing financial cyber fraud attacks on consumers.
These data points are intended to broadly frame the current
consumer fraud atmosphere, and identify relevant trends, by
tracking broad indicators of online fraud across both financial
and e-commerce focus areas.

RSA QUARTERLY FRAUD REPORT Q1 2018 | 7

Consumer Fraud Trends: Q1 2018
Transaction and Fraud Transaction Distribution by Channel
GENUINE TRANSACTIONS FRAUD TRANSACTIONS
5% 7% 11% 16% 18% 18% 17% 15% 24% 25% 29% 36% 39%
11% 14% 22% 27% 23% 30% 32% 31% 31% 32% 33% 34% 34%

28% 27% 21% 34% 42% 42%

17% 22% 16% 45% 42% 37%

15% 15% 15% 17% 37% 39% 36% 36%
20% 21% 21% 36% 32% 26%

61% 59% 57% 56% 55% 54% 52% 54% 54% 51% 47% 45% 45%

62% 51% 47% 39% 40% 45% 45% 45% 39% 39% 35% 32% 35%

2015 2015 2015 2015 2016 2016 2016 2016 2017 2017 2017 2017 2018 2015 2015 2015 2015 2016 2016 2016 2016 2017 2017 2017 2017 2018
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1

Web Mobile Browser Mobile App Web Mobile Browser Mobile App

Source: RSA Fraud & Risk Intelligence, January 2015-March 2018

TRANSACTION METHOD FRAUD TRANSACTION METHOD

The ways that consumers interact with financial systems can say much about the
status of technology adoption and can signal shifts in user behavior overall. Taken
among other fraud-based factors, the distribution between legitimate use of web
browser, mobile application or mobile browser programs can be used as a baseline
against which to measure the efficacy of fraudulent use of these technologies.
In the first quarter of 2018, mobile browsers and applications accounted for 55
percent of legitimate transactions observed by RSA. There was no change quarter
over quarter in the distribution of legitimate transactions. Year over year, however,
mobile use for legitimate transactions has risen 9 percent, mostly due to a 6
percent increase in fraud transactions through mobile applications during that time.
Likewise, the ways that cybercriminals interact with financial systems can say much
about the status of technology security and can signal shifts in adversaries’ tactics,
techniques and procedures overall. When considered among other fraud factors,
the distribution between illegitimate use of web browser, mobile application or
mobile browser programs can be used as a sign of the efficacy of these technologies
for nefarious purposes.
.

RSA QUARTERLY FRAUD REPORT Q1 2018 | 8

Consumer Fraud Trends: Q1 2018
Average Credit Card Transaction and Fraud Transaction Values
(E-Commerce, by Region)
$508
$
$
$
$
$439 $
$
$ $
$ $
$ $
$ $
$ $
$ $
$ $
$ $ $337
$ $
$
$
$
$
$
$
$306 The average value of a fraudulent transaction will likely always be higher
$ $ $ $
$
$
$
$
$
$
$
$
than that of a genuine transaction because fraudsters regularly use stolen
$ $ $ $
$ $ $ $ credit cards to make quick, high-value purchases, since these goods are
$ $ $ $
$
$
$228
$
$
$
$
$
$ easy to resell for a profit. There are, however, insights to be gained in
$ $ $ $
$
$ $
$
$ $196
$
$
$208 $
$ the differences between the spending levels related to legitimate and
$ $ $ $ $
$174 $
$
$
$
$
$
$
$
$
$
$ $
$
illegitimate transactions.
$ $ $
$ $ $ $ $ $ $
$
$ $ $ $
$
$ $
$
$ $
$
$ $
$
$ $ In the first quarter, the most drastic difference was observed in Europe
$ $ $ $ $ $ $ $
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$ (minus the U.K.), where the average value of a fraudulent transaction
$ $ $ $ $ $ $ $
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$ was $439, 152 percent higher than the average genuine transaction. The
$ $ $ $ $ $ $ $
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
Americas were not far behind with the value of a fraudulent transaction
$ $ $ $ $ $ $ $
$ $ $ $ $508, 144 percent higher on average.
$ $ $ $

EUROPEAN AUSTRALIA/
AMERICAS UK
UNION NEW ZEALAND

Transaction Value Fraud Transaction Value

REGION TRANSACTION VALUE FRAUD TRANSACTION VALUE DIFFERENCE $ DIFFERENCE %

European Union $174 $439 $265 +152%
Americas $228 $508 $280 +144%
UK $196 $337 $141 +72%
Australia/New Zealand $208 $306 $98 +47%
Source: RSA Fraud & Risk Intelligence, January 2018-March 2018

RSA QUARTERLY FRAUD REPORT Q1 2018 | 9

Consumer Fraud Trends: Q1 2018
Device Age vs. Account Age

“Device Age” refers to how long the RSA Fraud
Platform has “known” or “trusted” a given device
(laptop, smart phone, etc.). “Account Age” refers to how
long the RSA Fraud Platform has “known” or “trusted”
a given account (login, etc.). This data demonstrates
the importance of accurate device identification to
minimize false positives and customer friction during a
login or transaction event.
ONLINE BANKING: PAYMENT
Similar to fraud patterns at login, only 0.4 percent of
legitimate payment transactions are attempted from
a new account and new device, yet this combination
makes up 22 percent of total fraud values, once
again potentially indicating money mule activity. The
highest volume of fraud, or 34 percent of total value,
originates from a known/trusted account and device,
which suggests that there is a high likelihood that
these devices may be infected with financial malware
capable of performing man-in-the-middle account
takeover attacks.

E-COMMERCE
E-COMMERCE PAYMENT ONLINE BANKING LOGIN ONLINE BANKING PAYMENT
In the first quarter, 82 percent of fraud among
85.5
e-commerce transactions originated from a new 86%

device. In the case of known/trusted accounts, 62 79%

78.6

percent of fraud transaction value was from a new

device, which is indicative of account takeover or 62.1
62%
credential-stuffing attacks where fraudsters could be
attempting transactions from the same account across
multiple merchants.
39.8
40%
37.0
37%
ONLINE BANKING: LOGIN 34%
34.1
32.0
32%
While less than half of a percent (0.4) of legitimate
logins were attempted from a combination of a new 19.5
20%
21.1
21% 21.8
22% 21.0
21%

account and a new device, this scenario accounted 13.0

13%
for 32 percent of total fraud volume observed in Q1.
4.8
5% 4.4
4% 4.1
This pattern could indicate fraud actors attempting to 2.5
3%
0.4% 0.4%
4%

leverage stolen identities to create mule accounts as New Account/ Trusted Account/ Trusted Account/ New Account/ Trusted Account/ Trusted Account/ New Account/ Trusted Account/ Trusted Account/
New Device Trusted Device New Device New Device Trusted Device New Device New Device Trusted Device New Device
part of their “cash-out” plans.

% of transaction volume % of fraud value

NEW ACCOUNT: Account Age < 1D NEW DEVICE: Account-Device Age < 1D
TRUSTED ACCOUNT: Account Age >= 90D TRUSTED DEVICE: Account-Device Age >= 90D

Source: RSA Fraud & Risk Intelligence, January 2018-March 2018

RSA QUARTERLY FRAUD REPORT Q1 2018 | 10

Consumer Fraud Trends: Q1 2018
Compromised Credit Cards Discovered/Recovered by RSA

1,600,000

1,400,000
1,422,792

1,200,000

1,000,000
942,114
800,000
768,991
600,000

400,000

200,000

0
JANUARY FEBRUARY MARCH

Source: RSA Fraud & Risk Intelligence, January 2018-March 2018

In Q1 2018, RSA recovered more than 3.1 million unique compromised cards and card previews from reliable
online fraud stores and other sources. While many credit card stores share the same database, RSA only
monitors one store per database to avoid duplicates. These figures represent recovered cards with unique
card information which can be used for online fraud.

RSA QUARTERLY FRAUD REPORT Q1 2018 | 11

FEATURE ARTICLES
#Fraud: The Dark Web Goes Social
Over the last decade, social media platforms have grown to become an integral part
of not just our daily private lives but also our public lives. For credit card fraudsters,
or carders, social media platforms provide the scalability, anonymity and reach
necessary for them to peddle stolen goods in their virtual storefronts.
In our original study of this growing threat, outlined in the RSA report “Hiding
in Plain Sight,” much of the global cybercriminal activity occurred on Facebook,
QQ and Baidu. However, due to the global rise in popularity of multiple social
media platforms, many fraudsters have expanded their activities to new platforms,
including WhatsApp, Telegram, Instagram, Snapchat and others.
Continued research also revealed new insights into how social media technology
and the traditional criminal marketplace create a new kind of fraud market,
including ideas about the medium itself and the humans setting up shop.
The power of modern social media and networking platforms to keep exclusive
communities of like-minded people connected are being co-opted by fraudsters
looking to take advantage of the anonymity, usefulness and global reach of these
applications to profit.
WHY FRAUDSTERS LOVE SOCIAL MEDIA
There are several reasons fraudsters, like legitimate users, are attracted to social
media platforms as “control stations” for their social lives and even their businesses.
The mass communicative properties of these networking programs bridge physical
divides and distances to allow seamless sharing of ideas and information. On top
of that, many platforms provide additional benefits to users looking to maintain an
exclusive space for a specific purpose that remains unknown to those not trusted
enough to be part of the circle:
Built-in Anonymity. The use of representative screen names and subjective
identity information, such as a user profile, allows malicious actors their
initial layer of confidentiality. Given the ready availability of webmail, and its
nonexistent identity verification requirements, not only can malicious actors
have one anonymous account, but they can—and often do—have dozens or
more, ready to be activated.
Exclusive, Invite-Only Structures. Explicit invite-only and group-management
functionality inherent in nearly all social media platforms is valuable to
fraudsters whose primary concern, even above making money, is to remain
unknown to any who would foil their plans, or report them to authorities.
Mobile Integration. Early social media platforms had to be optimized
for mobile. Today’s applications are engineered to be viewed as handheld
dashboards of their users’ lives. Mobile-enabled social platforms allow real-time
monitoring and access to all information on the network, from anywhere with
cellular access or Wi-Fi, enabling fraudsters to be nimbler than ever in making
deals and dodging authorities.
RSA QUARTERLY FRAUD REPORT Q1 2018 | 12
Across the range of platforms, there are some interesting trends that may be useful
in evaluating the current status of social media fraud marketplaces. For example:
Extended Feature Sets. In the past, there was a clear distinction between
instant messaging platforms and social media. However, during the last few
years, those same platforms, which have been used solely for the purpose of
peer-to-peer communication, have evolved into something more and are used
in the same way as social media.
Multi-platform Models. All fraud groups in social media can be thought of as
one uniform sphere, with fraudsters often advertising groups/contacts from
one platform in another one, and alternating between two or more platforms
even during conversations. Moreover, the content shared in the various
social media groups is inherently similar, and mainly serves to increase the
fraudster’s reputation and customer base.
Criminals Are Users, Too. While there are differences between the
platforms and particular reasons to choose one over another, fraudsters
generally behave like typical social media users: most try to be represented
on as many platforms as possible to reach as wide an audience as possible, to
maximize their marketing and market visibility.
CONCLUSION
Until the next round of law enforcement or corporate action to regulate malicious
activity in these spaces, the criminal shadow will hang over social media in general,
and most certainly in the case of social media fraud markets. Modern cyber thieves
will continue to look for the most effective and efficient ways to cash out stolen
financial and identity information while blending in with the billions of other users
and accounts on their preferred platforms.
In the meantime, understanding the draw of social media in general can help
us understand its attractiveness to the criminal element, and in turn, it informs
our efforts to combat misuse and to justify our continued financial and social
investment in these new information technologies. Social media is an enabler
for business, but it also presents a growing digital risk to consumer-facing
organizations. Keeping track of and reporting on the adoption and utilization of
these platforms by fraudsters is imperative to keep all interested parties—including
the public at-risk—aware of this very real problem.
RSA QUARTERLY FRAUD REPORT Q1 2018 | 13
Feature Articles
Reddit Bans Fraud Subreddits
Reddit is one of the many social media platforms that
fraudsters utilize for their communication and fraud
business purposes. Reddit is mainly used by fraudsters
to exchange contacts, advertise their services and
share reliable sources of Dark Web fraud forums.
Recently, the well-known social news and media
aggregation site banned numerous fraud subreddits
(see Exhibit 1).

Exhibit 1: Reddit
Announcement Banning
Fraud-Related Subreddits

This is not the first time that the platform has banned fraud-related sections
of its site, but the recent action was significant in terms of the volume and size
of the subreddits that were banned, with “/r/DarkNetMarkets” being the most
prominent. The ban and the change of policy driving it elicited a strong reaction
among participants, who immediately commented on the subject, offering
alternatives and backup options for participants to continue operations despite
the loss of their usual platform.
Fraudsters, including those participating in the now-banned discussions, have
been warning about such a policy change and ban action for some time. In
preparation, some even claim to have backed up the data from the now-defunct
subreddits and offered links to download the deleted content (see Exhibit 2).

Exhibit 2: Users Offer Links to

Purported Backups of Content
from Banned Fraud Subreddits

RSA QUARTERLY FRAUD REPORT Q1 2018 | 14

Many former participants were quick to offer alternatives to Reddit for future
activities. Some suggested existing platforms similar to Reddit, to which these
communities can more easily migrate; others recommended new platforms that
seem to have been established specifically to fill the void created by Reddit’s action.
The latter are fraud-oriented and offer a variety of advantages for illicit activity. The
alternatives to Reddit that were suggested in these discussions include Dread and
DNM Avengers (see Exhibit 3), platforms where most banned subreddits have been
directing visitors.
Exhibit 3: Dread and DNM Avengers,
Alternative Fraud Forums Suggested in
Lieu of Banned Reddit Fraud Spaces
CONCLUSION
Reddit appears to have taken a visible stand when it comes to preventing
cybercrime activity on its platform, having now seemingly banned the majority of
fraud-focused content therein. Since the ban took effect, fraudsters seem to have
been quick to adopt alternative platforms, where they may find less resistance in
pursuit of their illicit activities.
Despite these positive actions taken by Reddit and other platform operators to
remove posts, profiles and groups engaged in illicit activity, this will not likely reduce
the overall volume of fraud being conducted online. While Facebook was the most
popular platform among fraudsters in RSA’s original study, the use of other social
media platforms is growing rapidly as a fraud communication channel. Fraudsters
are also extending their operations to new infrastructure such as the blockchain to
host credit card stores, fraud marketplaces and underground forums. We expect
fraud to expand even further across social media, the blockchain and even Internet
of Things (IoT) devices, throughout 2018. RSA will continue to monitor and report
on this growing cybercrime trend.
RSA QUARTERLY FRAUD REPORT Q1 2018 | 15
ABOUT THE RSA FRAUD & RISK INTELLIGENCE SUITE
The RSA Fraud & Risk Intelligence Suite helps organizations manage fraud and digital risk across multichannel
environments without impacting customers or transactions. The suite offers risk-based authentication and
behavior analytics solutions for web, mobile and e-commerce as well as fraud intelligence services to allow
organizations to protect their customers across the entire digital journey. The Fraud & Risk Intelligence Suite is
deployed at over 5,000 global organizations and protects over 1.5 billion consumers.

©2018 Dell Inc. or its subsidiaries. All rights reserved. RSA and the RSA logo, are registered trademarks or trademarks of Dell Inc. or its subsidiaries in
the United States and other countries. All other trademarks are the property of their respective owners. RSA believes the information in this document is
accurate. The information is subject to change without notice. Published in the USA 05/18