DataVisor Threat Blog:

3 Keys to Fraud Detection for the Modern Wave of Sophisticated Fraud

Ting Fang Yen

Ting Fang Yen

Director of Research // Ting-Fang specializes in network and information security data analysis and fraud detection in the financial social and eCommerce industries. She holds a PhD in Electrical and Computer Engineering from Carnegie Mellon and has previously worked for E8, RSA, and Microsoft.

Digital fraud attacks have become increasingly sophisticated and their complexity brings more and more concern for social forums, digital commerce, online banking and other consumer-facing enterprises. As part of our initiative to educate and equip fraud and risk management leaders with data-backed insights, the DataVisor research team tracked and analyzed 1.1 billion attack events and 887K fraud attacks across some of the largest internet properties and financial services in the world from July to September 2018. Our learnings will allow fraud management teams to reevaluate their fraud detection strategies and secure their technology architecture.

DataVisor’s approach to fraud detection is particularly effective because it utilizes DataVisor’s Unsupervised Machine Learning (UML) Engine that looks at all events and users holistically, and then identifies correlated groups of malicious users that share similar attributes. This approach allows us to detect attacks that have never been seen before. Traditional approaches such as rule-based or supervised machine learning need to constantly update their models and are unable to see the varied ways of sophisticated fraudulent attacks.

Fraud Has a Wide Gamut of Operation

Our research findings show that fraudsters display diverse behaviors ranging from varying size, duration and degree of sophistication.

Layers of Sophistication

On one end, less sophisticated fraud attacks are typically bursty and short-lived. They are easier to detect and block because fraudsters tend to reuse known bad fraud signals and exploit large volumes of malicious activities that make them noticeable. In our data, we observed that 59% of low-sophistication fraud attacks have a median user lifetime of less than one day, and 70% have a median user lifetime of less than one week.

On the other end, a sophisticated attack has fraudsters engage various tools so that the fraudulent accounts can blend with other “normal” users. Their fake accounts may have legitimate-looking user profiles with pictures and originate from residential, educational, or mobile networks with good reputation. Such attacks often have longer duration since they are able to evade detection, operate under the radar and scale up to cause greater damage on the service. High sophistication attacks are 2.3x larger than low sophistication attacks.

We observe that fraud attacks on financial platforms are the most complicated. Fifty-six percent of attacks on financial platforms have high sophistication, compared to 17% for ecommerce and 14% for social platforms.

Fraudsters Change Tactics

Change is the name of their game and fraudsters are good at evading static signals with a flexible backend infrastructure to advance quickly. For example, 36% of IP fraud signals were active for less than one day, and 64% were active for less than one week.

Fraudsters are Adept at Camouflaging

As traffic from datacenter IP ranges faces increasing scrutiny from online services, fraudsters are leveraging proxy services from residential or mobile network ranges to keep moving under disguise.

Clearly, to stay ahead of the game, enterprises must bolster detection efforts with a complete solution that can detect new and emerging fraud patterns. Find out how three ways you can curb fast-evolving fraud by downloading a copy of the DataVisor Q3 2018 Fraud Index Report here.