We are entering an era of billions of users and trillions of online accounts. This is attracting a growing wave of attacks targeting online services of all sizes. The Internet user population is now 3 billion strong . There are now over 3 million mobile apps and online services available, and most people have registered accounts with at least 26 of them . That’s creating a huge surface area of online services and user accounts to protect.
Not only are there more mobile apps and web sites than ever before, but they are also becoming much more complex. To continuously drive strong user growth, modern online services are rapidly evolving from single-function sites to feature-rich platforms that have a blend of social networking, e-commerce, gaming and online-to-offline (O2O) services attributes. While each of these new “features” makes the service more attractive to benign users, they are also potential vulnerabilities to be exploited by bad actors.
As a result of the combined growth and feature richness of online services, user accounts are becoming highly desirable targets. They are the precious core of every service, as users are both contributors of content (e.g., reviews, ratings, followings, pins, messages) and a channel for monetization (e.g., ad clicks, promotions, in-app purchases). But due to their intrinsic value, user accounts are also the most vulnerable spot in every service. Coordinated malicious user accounts, either created anew, or obtained via user hijacking, actively target the various features of the modern online service for some type of real-world financial gain. Example attacks include fake reviews to boost business reputation [3,4], promotional credits abused to gain an unfair advantage within games, and stolen credit cards used to pay for goods via Apple Pay . Such attacks can cause millions of dollars of loss to the service, in addition to severely degrading brand name reputation and platform integrity.
The Sleeping Enemy Within
These attacks signal the emergence of a new breed of online adversary. We are well beyond the lone gunman looking to make a quick buck by using a fake credit card to make a small number of fraudulent transactions on an e-commerce site. Today, technologically advanced, coordinated online criminals continuously adapt their techniques to stay under the radar, not only leveraging the billions of events generated by the other millions of user accounts to remain undetected, but also taking the time to build massive armies of “sleeper cells” within the online service. These dormant accounts are used for testing or carrying out the attack in stages, and lie in wait for months or even years until the time is right for an assault.
The fact that fraudulent accounts are growing at an alarming rate — sometimes even outpacing normal user growth — shows that traditional reactive solutions, such as signatures, rules, or purely supervised machine learning approaches, are falling behind. As pointed out in a recent Gartner report, “Rules, which are usually based on attacks that happened, are only as good as what a user knows. Rules do a poor job when it comes to predicting future attacks, and they also become difficult to manage over time as they proliferate.” . Similarly, supervised learning is inevitably difficult to catch new attack patterns, where labels are unavailable.
We believe it is time to rethink our security requirements for the new era of trillions of accounts that we live in. A next-gen solution is needed to address the growing threat of online identities, and to stay ahead of these advanced attacks. As such, we need leading computer scientists to work together and develop predictive solutions using Big Data technology and security analytics. The purpose of DataVisor is to strengthen this weakest and highly exploitable link in the new security arsenal. We are here to build trust in online communities and services as they flourish, to protect the long-term growth of all consumer-facing sites and apps, and to protect every one of us as end users.
 Internet live stats. http://www.internetlivestats.com/internet-users/
 Nielsen. “Smartphones: so many apps, so much time.” 1 July 2014. http://www.nielsen.com/us/en/insights/news/2014/smartphones-so-many-apps–so-much-time.html
 Megan Griffith-Greene. “Yelp, Google and UrbanSpoon targets for fake reviews.” CBC News 7 Nov. 2014. http://www.cbc.ca/news/business/yelp-google-and-urbanspoon-targets-for-fake-reviews-1.2826154
 Victor Luckerson. “Amazon is sueing sites that sell fake reviews.” Time 10 Apr. 2015. http://time.com/3817401/amazon-sues-fake-reviews/
 Daisuke Wakabayashi. “Fraud comes to Apple Pay.” Wall Street Journal 3 Mar. 2015. http://blogs.wsj.com/digits/2015/03/03/fraud-comes-to-apple-pay/
 Avivah Litan and Jonathan Care. “Market guide for online fraud detection.” Gartner 27 Apr. 2015.