2019: Fraud risk at a glance

NuData analysts’ interpretation of real-life attacks

JAN UA RY 1 - NOVEMBER 1, 2019
2 0 1 9 FRAUD RISK AT A GL AN C E

Contents
Foreword and 2019 risk trends assessment 3

Four trends that stood out so far in 2019 4

Top attack of choice by country of origin 5

Days with most fraud 6

Days with most fraud by industries 7

Sophistication as a growing threat 8

Signs of sophisticated attacks 9

Attacks leverage human factor 10

Spoofing is in decline 11

Conclusion: what the data tells us 12

2 0 19 : F R A U D R I S K AT A G L A N C E 2
FRAUD RISK AT A G L AN C E

Foreword and
2019 risk trends assessment
Billions of exposed user records are fueling mass-scale attacks daily,
from the simplest automation-based to the most sophisticated fraud
that emulates human behavior. Our data scientists continuously
analyze billions of data points to look for the emerging attack
trends, distilled and highlighted here.

This is the first of NuData’s periodic releases to analyze
attack vectors and help fraud teams understand
the trends taking shape. The report collects insights
from the NuData Trust Consortium, a powerful
pool of aggregated and anonymized data from
NuData clients used to gather historical trends
and train our machine learning models.
One of those trends is the growth of sophisticated
attacks that focus on quality rather than volume.
Bad actors use these sophisticated techniques
to attack businesses across industries, allowing
cybercriminals to increase their success rate with
high-quality attacks that try to resemble human
behavior such as faking human typing patterns.
By doing so, cybercriminals reduce the chances of
being detected by bot-detection tools, underscoring
the importance of behavioral tools like NuData’s..
Human attackers are also a common sighting;
fraudsters hire workers to manually deploy smaller
2 0 19 : F R A U D R I S K AT A G L A N C E
but more effective attacks that bypass bot-detection
challenges such as CAPTCHA. For fraudsters, this
is a common alternative to using a script that can’t
solve a CATPCHA challenge.
Across industries and regions, sophistication and attack
creativity are pushing new boundaries, bypassing
traditional security measures such as one-time
passwords and legacy automation detection tools.
In the next pages, we break down these fraud and risk
trends to explain the threats digital companies face.
This report answers some questions, and hopefully
raises others, as the best answers come from a
conversation. If you would like to talk further about
attacks and fraud trends we show here or share yours,
feel free to contact us; we love talking about fraud.
Sincerely,
NuData Analyst team
verifygoodusers@nudatasecurity.com
3
DOC UM ENT SUM M A RY: K E Y STATS

Four trends that

stood out so far in 2019
From January 2019 to October 2019

430%
Financial
SOPHISTICATION IS GROWING Institutions
AMONG ATTACKERS
Retail
Sophisticated attacks, those focused on quality rather
Digital
than volume, have grown 430% since July, compared Goods
to the previous seven months.
Travel

ATTACKS TARGET DIFFERENT INDUSTRIES

DEPENDING ON THE SEASON
Months with highest attacks: February for retail, digital
goods and travel; September for financial institutions. Jan Feb Mar Apr May Jun Jul Aug Sep Oct

330%
ATTACKS ARE LEVERAGING
THE HUMAN FACTOR
Human account takeover attack instances have
increased by 330% in the past four months.

SPOOFING IS IN DECLINE
Fewer than 2% of attacks used spoofing (changes
on the device information to mislead the company’s
security) compared to 60% in 2018. 60% 2%
2018 2019
2 0 19 : F R A U D R I S K AT A G L A N C E 4
AT TACK BY COU NTR IES

Top attack of choice

by country of origin
87% Ukraine
ATO Russian The countries where most fraud comes from tend
99%
ATO Federation to deploy account takeover (ATO) attacks. This
includes attacks at login and password reset.
Companies can blacklist these attempts and
challenge them automatically if the countries
where the most high-risk traffic and least-trusted
traffic comes from are known.

To look like good traffic, bad actors will choose to

display the location where most real customers
are. This is why the United States usually tops
these types of rankings. However, many attackers
who focus on the volume of attacks and want to
99% keep their investment to the minimum don’t spend
ATO
94% time hiding their real location, allowing companies
ATO
to trace the attacks back to the country of origin.
Thailand
United States

100% 100%
ATO ATO
Brazil 97% India 94%
ATO ATO

Indonesia Vietnam

2 0 19 : F R A U D R I S K AT A G L A N C E 5
AT TACK SP IKES IN 2 019

Days with
most fraud
Total events by month

The days with most fraud are tied to the seasons

attackers follow to deploy their attacks. In recent
years, the first and last quarters of the year show
the highest concentration of fraud risk, with summer
as the lower risk season, and 2019 is no exception.
The quieter periods during the summer months
are often due to bad actors probing and preparing
their schemes for the peak traffic attacks. This
chart highlights the spikes from January 1st to
November 1st in 2019.

The beginning of the year combines events such as

Valentine’s Day and the ramp-up to Easter when
consumers make most purchases – this chart doesn’t
include the winter holiday season (Christmas, Black
Friday and Cyber Monday). As bad actors follow Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
good user behavior to better hide among the crowd,
it is not surprising to see February, March and April Days with the most attacks:
contain the highest concentration of attack spikes
across all industries. Already well into the last
F E B R UA RY F E B R UA RY F E B R UA RY F E B R UA RY SEPTEMBER
quarter of the year, we expect – and are presently

10 20 21 25 04
witnessing – the attack volume to pick up again
for the holiday shopping season.

2 0 19 : F R A U D R I S K AT A G L A N C E 6
F RAUD SPIKES BY IND U STRY

Days with most fraud by industries

Early in 2019, eCommerce, digital goods and travel Top 3 days with most attacks by industry, in order of attack volume
companies were the main targets for bad actors,
with the largest spikes around late February.
However, financial institutions suffered larger
attacks during the end of summer, a season
with a higher concentration of banking attacks.
Cybercrime is a large business and, same as big
businesses, follow trends throughout the year.
Financial Digital
When the peak shopping seasons are over, eCommerce Institutions Goods Travel
merchants see a drop off in legitimate traffic,
which would allow them to spot bad actors

25 09 20 19
F E B R UA RY SEPTEMBER F E B R UA RY F E B R UA RY
more effectively. To avoid detection, some fraud
groups change the targeted industry, attacking
companies that still have high-traffic volumes,
such as financial institutions. This explains the
high attack volume on financial institutions

03 11 10 18
toward the second half of the summer. JA N UA RY SEPTEMBER F E B R UA RY F E B R UA RY

24 30 08 06
F E B R UA RY AU G U S T APRIL SEPTEMBER

2 0 19 : F R A U D R I S K AT A G L A N C E 7
T Y PES OF AT TACKS

Sophistication is a growing threat

The number of attacks using sophisticated
techniques is increasing, showing the cybercrime
industry as a whole is ramping up its tools to focus Attack sophistication
on the quality of attack instead of the quantity.
100
Sophisticated attacks have been steadily growing
since July. Bad actors have proven they can run
large-scale attacks and still emulate human 80

behavior to increase their success rate. At the

Percent of Total Attacks

same time, the months with a lower presence
60
of sophisticated attacks (February to April) are
not a reason for comfort. These attacks focus
on quality and high effectiveness rate rather 40
than volume, so they can do severe damage.

20

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct

Basic attacks Sophisticated attacks

For the purposes of this report, basic and sophisticated automated attacks are defined as follows:

A basic attack focuses on high volume rather than
quality. It doesn’t attempt to emulate human
behavior or browser interaction and it typically
doesn’t execute JavaScript.
A sophisticated attack may show lower volume
but attempts to emulate user behavior, increasing
its effectiveness. It displays expected browser
or application behavior and runs scripts in the
environment to create this human-like interaction.

2 0 19 : F R A U D R I S K AT A G L A N C E 8
T Y PES OF AT TACKS

Some signs of
sophisticated attacks
Sophisticated attack patterns Within our network we have seen sophisticated attacks
(automated) can include: attempting to access our clients’ environments. Some large
attacks went on for months until they suddenly stopped, most
Use of the keyboard to type the user likely moving on to another company where they can bypass
information (i.e., username, password):
A script doesn’t need to use a keyboard to type, more vulnerable defenses with their complex script.
but it can be forced to do so to seem human.

Use of irregular keystrokes and pauses to

mimic human behavior: When a script uses a
keyboard or keys to seem human, it can program
a series of random pauses between keystrokes
to resemble humans’ uneven typing.

Use of fake IP and location combinations

that match (i.e., the IP belongs to an area
in Boston and the location also points at
Boston): Most attacks use randomized IPs and
locations to keep attack costs down. Pairing up
location and IP requires additional effort from
the hacker, showing further sophistication.

2 0 19 : F R A U D R I S K AT A G L A N C E 9
AT TACKS WITH HU M AN B E H AVIO R

More attacks leverage the human factor

Bot detection tools, improved CAPTCHAS, and
other technologies that mitigate automation
are starting to affect bad actors. As expected, Human-driven attacks per month
fraudsters look for alternatives to bypass these
bot challenges, especially when targeting high- 30
value accounts, such as financial accounts
or merchant accounts with stored value.
25
Within the NuData network, fraudsters have
increased the use of human workers to attack 20

Thousands
high-value accounts. For example, they use
human farms where they pay workers to type 15
out the required information on a device and
bypass bot mitigation challenges. These human
10
farm workers tend to live in developing countries
and are paid by completed task, which can
5
be a completed login, a posted review or the
creation of a new account.
0
Across 2019, human-driven account takeover Jul Aug Sep Oct
attacks remained relatively steady until the
The last months of human-driven attacks that showed an upwards trend.
last four months, when these attacks increased
by 330%.

330%
In our network we can see attack attempts that, after encountering a bot mitigation challenge, they redirect
the attempt to a human worker to solve it. Our platform’s machine learning model was able to determine
this change by drilling down into device and behavioral data from each event. Having visibility into this
sophisticated behavior where the traffic is redirected to humans is crucial to prevent this type of fraud.

2 0 19 : F R A U D R I S K AT A G L A N C E 10
S P OOFING TECHNIQU ES

Spoofing is in decline
Spoofing techniques used in attacks
Example of spoofing
When a bad actor switches the name
of that device to another one, even if it
doesn’t exist, like “iPhone 14”. They do

60% 2%
this because they know a security tool will
flag incomplete device information, but
less often does a security tool check the
validity of that information.
From January 2019 to October 2019,
less than 2% of the attack attempts
used spoofing techniques such as basic
changes on the device type. This could
2018 2019 be driven by the improvement in existing
device-intelligence technologies to catch
device information abnormalities.
Bad actors seek the easiest path to attack while avoiding detection, with
techniques such as spoofing or faking the information on a device, such as IP,
location, device operating system, or browser version. Spoofing is used when
a device has been caught as fraudulent, but the fraudster needs to use it again,
then disguises it as a new one with fake information. When fraudsters spoof
the information on a device, such as the device operating system, they often
type irrelevant data.

2 0 19 : F R A U D R I S K AT A G L A N C E 11
CON C LU SION

Conclusion: what the data tells us

Attacks are becoming more sophisticated, human,
and fluid moving quickly from one technique to another

1.
Fraud attacks follow seasons, and so do the industries
they target. From January 2019 to October 2019, the
seasons with higher shopping activity such as Valentine’s
Day and Easter have the highest concentration of
attacks among eCommerce, digital goods and travel
companies – without including the Christmas holiday
season. Similarly, bad actors switch industries during
the summer and increase their focus on financial
institutions, an industry that suffered its biggest
attack during the summer months.
3.
The challenges that security tools are placing in
front of automated attacks are becoming a real
problem for attackers, forcing them to increase the
use of human workers. Manual attacks deployed
by human workers are growing significantly. Some
cybercriminal groups are extremely fluid and go as
far as to combine bots and humans as part of the
same attack. For instance, fraudsters divert a login
attempt that requires a bot-mitigation challenge,
such as CAPTCHA, to a human to manually solve it.
To increase protection against basic and
sophisticated attacks, it is important to have
a holistic approach that can detect different
behaviors such as automated behavior, unusual
human-like behavior, low reputation information
such as to recognize IPs used in fraud attacks
in the past, or device recognition.

2.
Bad actors are shifting from high-volume basic attacks
to high quality, human-like attacks. This growing
trend is lower in numbers, making the danger seem
less threatening, but shows a human-like behavior
that increases its chances to succeed, bypassing
traditional security solutions. With NuDetect, a
solution often placed after a bot detection tool to
detect automation, companies consistently see these
human-like attacks bypass the first layer of defense.
This sophisticated traffic enters the NuData network,
where we flag this unusual human behavior, allowing
our clients to mitigate the threat.
4.
This year, spoofing has become less common among
If you have questions or want to
share your experience with attacks
in your environment, contact us at
bad actors who prefer to invest their time and skill verifygoodusers@nudatasecurity.com
in other tactics with a higher success rate. This shift As we said, we love talking about fraud.
is influenced by device intelligence tools, which are
becoming better at detecting spoofing behavior. As
the effectiveness of spoofing decreases, bad actors
are switching to more sophisticated techniques.

2 0 19 : F R A U D R I S K AT A G L A N C E 12
2 0 1 9 FRAUD RISK AT A GL AN C E

Glossary of terms
Account creation or online account
origination fraud: The opening of new account
with fake or stolen information with the intention
of committing fraud.
Account takeover: The use of someone else’s
credentials to enter their account.
Basic attacks: Attacks focused on quantity rather
than quality. They don’t attempt to emulate human
behavior or browser interaction and they typically
don’t execute JavaScript.
Bot-detection challenge: When an event is
suspected to be fraud, a bot-detection challenge
such as a CAPTCHA helps confirm if it is a machine
or a human.
Bot-detection tool: Tools detecting bot-detection
behavior by looking at some of the data such as IP,
location, connection, or input.
Digital goods: Companies selling digital goods
online, including SaaS.
eCommerce: Includes companies selling physical
goods online.
Financial institutions: Includes companies that
provide financial services, comprising FinTech.
High risk: Session or sessions with a high risk score
based on the NuData platform’s assessment.
Human farms: groups of workers paid to deploy
attacks manually.
NuData Trust Consortium: Historical data of
events and accounts aggregated from the NuData
network to improve the accuracy of each assessment.
Sophisticated attacks: Attacks deploying lower
volume but attempting to emulate user behavior.
They display expected browser or application
behavior and run scripts in the environment
to simulate human interaction.
Spoofing: Modification of a device’s information
such as operating system, browser, or version
to appear as a different device.
Travel: Includes companies with travel portals.

Botnet: Internet-connected devices, each

of which is running one or more bots to perform
large-scales attacks.

2 0 19 : F R A U D R I S K AT A G L A N C E 13
NuData Security is a Mastercard company. It helps
businesses identify users based on their online interactions
and stops all forms of basic and sophisticated attacks.
By analyzing billions of events annually, NuData harnesses
the power of behavioral and biometric analysis, enabling
its clients to identify scripted or human threats accurately.
This allows clients to verify users before a critical decision,
block account takeover, stop automated attacks, and reduce
customer insult. NuData’s solutions are used by some of the
biggest brands in the world to prevent fraud while offering
a great customer experience.

This is how we have helped other companies

mitigate their attacks