DataVisor Online Fraud Report

As DataVisor Co-Founder and CEO Yinglian Xie says in her foreword to the Inaugural DataVisor Online Fraud Report, “Data is power.” We have no shortage of data here at DataVisor and we have taken the opportunity to unlock it and analyze the results.

Through our Global Telemetry Network of more than one billion users across 172+ countries in the world, we were able to identify the favorite tools and attack techniques fraudsters from around the globe are using to create accounts and evade detection.

As with all research, you don’t always know what the results will reveal. When we first set out to develop the report, we set up a series of questions for which we wanted answers:

  • What device platform is used most to conduct attacks?
  • Which operating system are used most frequently by fraudulent accounts?
  • What are the most popular browsers for fraudsters?
  • Where are the most fraudulent accounts located geographically?
  • What percentage of bad actors use cloud hosting providers to launch attacks?
  • Which email domains are used the most to register fake accounts?
  • What is the average size of a fake account army?
  • How long do fraudsters age accounts before they attack?

Some of the most interesting results came when we looked at aging accounts. We knew fraudsters would lie in wait, or sleep, on platforms for extended periods of time but the results were still surprising in terms of just how committed, and patient, these bad guys are when it comes to aging accounts. According to our data, 44 percent of fraudulent accounts sleep at least seven days before an attack. Thirty-seven percent of malicious accounts have still yet to attack even after three months.


For malicious users to be sitting within your online community or user base, pretending to be regular users, for that long is scary. It underscores the importance of not only early detection, but looking at your users beyond their registration. To catch these sophisticated attackers before they strike, you have to look at the whole picture, even if they appear harmless.

Also, cloud-usage is definitely growing among malicious users. We observed that 18 percent of accounts hosted on cloud services are fraudulent. Malicious accounts are seven times more likely to use cloud services than normal users. Using the cloud enables fraudsters to both significantly increase the number of attack campaigns they can conduct, as well as evade detection by hiding behind legitimate network sources.


The fraud ecosystem is constantly evolving, and it’s clear that fraudsters are becoming increasingly more sophisticated in their attack techniques, as well as their adoption of new technology. They are blending in with normal users and circumventing traditional fraud detection methods. They are harder to detect, but we hope the DataVisor Online Fraud Report will help illuminate some of their latest tricks.

To learn the answers to the rest of the questions mentioned above, please download the DataVisor Online Fraud Report here.