Diving into Q2 2018 DataVisor Fraud Index Report

Attributed to Ting-Fang, Head of Research, DataVisor.

Continuing our promise to empower the fraud-fighting community with more data points on the increasing strength of fraudulent activity, we are delighted to share our DataVisor Fraud Index Report for Q2 2018. It is our intent to raise awareness of the current and emerging attack trends that we are witnessing which may have a big impact on businesses. We hope that they will make informed choices on how adopting multiple solutions can bring in advantages of the recent advances in AI and Machine Learning and help mitigate risk and strengthen their defense versus relying on one layer of protection.

A Unique Vantage Point

DataVisor’s Unsupervised Machine Learning (UML) Engine gives us a new vantage point from where we can observe fraud, see the rise of new attack patterns or view how existing attacks evolve and unfold. Traditional supervised approaches can only find known attacks, and need to constantly update their models to keep up with fraudsters. In this quarter, we see coordinated fraud attacks on the rise, resulting in larger fraud related losses. These attacks are supported by a robust but dynamic operational infrastructure such that modifying an attack signature is easier than ever. We see evidence of shifting attack channels and obfuscated attack origins as well as the “incubation” behavior of fraudulent accounts.

A Comprehensive Methodology

To support our findings, DataVisor’s leading fraud detection platform has analyzed over 4 billion user accounts across some of the largest internet properties and financial services in the world. Our Unsupervised Machine Learning (UML) Engine looks at all events and users holistically, then identifies correlated groups of malicious users that share similar attributes. This approach enables DataVisor to accurately detect attacks that have never been seen before, thus providing up-to-date statistics and unique insights into how the global fraud pattern is changing. Since our engine correlates thousands of different attributes to detect fraud groups, we have been able to assemble a broad array of signals into the DataVisor Global Intelligence Network.

The current report is based on signals gathered between April and June 2018 from 1.1 billion active user accounts, and include 1.5 million email domains, 231,000 device types, and 562 cloud hosting providers and data centers, among other indicators.

Report Findings

Fraud is Coordinated : We see that fraud is a highly coordinated activity. More than 90% of fake account registration in social platforms involve coordinated attacks. More than 40% of application fraud in financial sector are coordinated attacks. On average, fraud attacks targeting social platform involve more than 104 accounts, while the attacks targeting financial services involve more than six accounts.

The Technology Savvy Fraudster: We observe that fraudsters are getting better at making fake account appear “real.” An average fraudulent account incubates 35 days before attacking. Specifically, 15% of fraudulent accounts on financial services incubate more than a week before attacking, while 34% of fraudulent accounts on social platforms incubate more than 90 days. Accounts used in social attacks, e.g., fake likes and spam, tend to have a longer sleep time compared to those used for financial attacks. One reason for this is that social attacks require a certain degree of trust from the victim to be successful, so having a longer history can help the fake accounts appear legitimate to normal users. By contrast, financial attacks are constrained by time, since stolen financial information such as credit card numbers, banking information et al expires quickly.

The Geographical Distribution of Fraud

Fraud is geographically distributed and all regions of the world are impacted by it. We observed 21% of fake accounts targeting online and financial services originated from the U.S. and 17% originated from China, while the large majority are from other regions. But the geolocation may not be what it seems – 10% of all fraudulent users originated from a cloud service, likely to either mask the attack origin or to use cloud services to scale up their operations.

Three Steps to Protect Assets, Reputation and Customer Experience

Our study shares alarming insights about the enormous threat to businesses today and the critical need for their online protection. So what can you do? While the bad actors know their game well, here are some steps you can take:

1. Be open to embracing advanced technologies such as AI and ML which equip businesses to stay on top of the game despite the dynamic nature of attacks.
2. In addition to monitoring common routes of entry for fraudsters, checking less common entry points is also important. We observe fraudsters taking advantage of older APIs that may contain vulnerabilities or may not be guarded as closely.
3. Vet your developers and third-party apps and be careful what kind of access are given to non-standard interfaces.

We invite you to download a complete copy of the report here.