Professional Documents
Culture Documents
May 2018 Rsa Fraud Report q1 2018
May 2018 Rsa Fraud Report q1 2018
FRAUD REPORT
Volume 1, Issue 1
Q1 2018
CONTENTS
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Feature Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
By tracking and reporting the volume and regional distribution of these fraud
threats, RSA hopes to contribute to the ongoing work of making consumers
and organizations more aware of the current state of cybercrime and fueling
the conversation about combating it more effectively.
Brand Abuse
Fraud Attack Type Distribution Online content, such as social media, that
6% misuses an organization’s brand with the
The distribution of major fraud tactics and attacks Mobile Apps
purpose of misleading users.
can help organizations understand the current
trends being employed. As each type of fraud attack
21% Mobile Application Fraud
requires differing levels of resourcing and technical Brand Abuse
48%
Mobile applications using an
competence, this statistic, tracked over time, can
Phishing organization’s brand without permission.
provide a glimpse into the change in preferred attack
vectors in order to help organizations respond more
effectively.
25%
In the first quarter of 2018, phishing attacks made Trojan
8,000
is still the most widely used tactic. This may be due to
its low technical barriers to entry, combined with the low In Q1 2018, RSA detected over 8,000 rogue mobile
resource requirement for simple, low-tech attack vectors applications, representing 6 percent of observed attacks
such as email. Still, Trojan horses accounted for one out of last quarter. The proliferation of fraud in the mobile
every four observed fraud attacks in Q1, potentially due channel is further demonstrated below (see Transaction ROGUE MOBILE
to the increasing availability of malware-as-a-service kits and Fraud Transaction Distribution by Channel). APPLICATIONS
and services available in the cyber underground.
3. India 3. India
4. Brazil 4. Australia
5. Netherlands 5. Canada
6. Colombia 6. France
7. Spain 7. Luxembourg
8. Mexico 8. Germany
9. Germany 9. China
61% 59% 57% 56% 55% 54% 52% 54% 54% 51% 47% 45% 45%
62% 51% 47% 39% 40% 45% 45% 45% 39% 39% 35% 32% 35%
2015 2015 2015 2015 2016 2016 2016 2016 2017 2017 2017 2017 2018 2015 2015 2015 2015 2016 2016 2016 2016 2017 2017 2017 2017 2018
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1
Web Mobile Browser Mobile App Web Mobile Browser Mobile App
EUROPEAN AUSTRALIA/
AMERICAS UK
UNION NEW ZEALAND
“Device Age” refers to how long the RSA Fraud ONLINE BANKING: PAYMENT
Platform has “known” or “trusted” a given device Similar to fraud patterns at login, only 0.4 percent of originates from a known/trusted account and device,
(laptop, smart phone, etc.). “Account Age” refers to how legitimate payment transactions are attempted from which suggests that there is a high likelihood that
long the RSA Fraud Platform has “known” or “trusted” a new account and new device, yet this combination these devices may be infected with financial malware
a given account (login, etc.). This data demonstrates makes up 22 percent of total fraud values, once capable of performing man-in-the-middle account
the importance of accurate device identification to again potentially indicating money mule activity. The takeover attacks.
minimize false positives and customer friction during a highest volume of fraud, or 34 percent of total value,
login or transaction event.
E-COMMERCE
E-COMMERCE PAYMENT ONLINE BANKING LOGIN ONLINE BANKING PAYMENT
In the first quarter, 82 percent of fraud among
85.5
e-commerce transactions originated from a new 86%
leverage stolen identities to create mule accounts as New Account/ Trusted Account/ Trusted Account/ New Account/ Trusted Account/ Trusted Account/ New Account/ Trusted Account/ Trusted Account/
New Device Trusted Device New Device New Device Trusted Device New Device New Device Trusted Device New Device
part of their “cash-out” plans.
NEW ACCOUNT: Account Age < 1D NEW DEVICE: Account-Device Age < 1D
TRUSTED ACCOUNT: Account Age >= 90D TRUSTED DEVICE: Account-Device Age >= 90D
1,600,000
1,400,000
1,422,792
1,200,000
1,000,000
942,114
800,000
768,991
600,000
400,000
200,000
0
JANUARY FEBRUARY MARCH
In Q1 2018, RSA recovered more than 3.1 million unique compromised cards and card previews from reliable
online fraud stores and other sources. While many credit card stores share the same database, RSA only
monitors one store per database to avoid duplicates. These figures represent recovered cards with unique
card information which can be used for online fraud.
Criminals Are Users, Too. While there are differences between the
platforms and particular reasons to choose one over another, fraudsters
generally behave like typical social media users: most try to be represented
on as many platforms as possible to reach as wide an audience as possible, to
maximize their marketing and market visibility.
Exhibit 1: Reddit
Announcement Banning
Fraud-Related Subreddits
This is not the first time that the platform has banned fraud-related sections
of its site, but the recent action was significant in terms of the volume and size
of the subreddits that were banned, with “/r/DarkNetMarkets” being the most
prominent. The ban and the change of policy driving it elicited a strong reaction
among participants, who immediately commented on the subject, offering
alternatives and backup options for participants to continue operations despite
the loss of their usual platform.
Fraudsters, including those participating in the now-banned discussions, have
been warning about such a policy change and ban action for some time. In
preparation, some even claim to have backed up the data from the now-defunct
subreddits and offered links to download the deleted content (see Exhibit 2).
©2018 Dell Inc. or its subsidiaries. All rights reserved. RSA and the RSA logo, are registered trademarks or trademarks of Dell Inc. or its subsidiaries in
the United States and other countries. All other trademarks are the property of their respective owners. RSA believes the information in this document is
accurate. The information is subject to change without notice. Published in the USA 05/18