Man Holding Crystal Ball

As 2015 comes to a close, all of us fighting fraud may start preparing for the upcoming fraud battle in 2016. As mobile apps and web services continue to increase in number and functionality, they remain an attractive target for fraudsters. Meanwhile, cyber attackers have continued to adapt to evade traditional security defenses – using the latest mobile hacker tools and cloud technology to impersonate legitimate users. If you are a consumer-facing web or mobile app, you are up against a much more numerous and advanced adversary than ever before. Here are some online threat trends we anticipate to encounter in 2016.

Prediction #1:  Social sites become bigger target as lines between social and e-commerce blur.

In 2015, many traditional social networking sites such as Pinterest, Facebook and Twitter announced plans [1,2,3] to add “Buy” buttons to their platforms in an effort to increase stickiness with their users and help monetize their user base. Adding e-commerce functionality is a continuing social media trend. However, this will attract more fraudsters looking to conduct fraudulent transactions on these platforms.

In 2016, we expect to see a spike in the overall amount of commerce online for social sites, making it easier for malicious campaigns to hide amongst the billions of legitimate social users. If you have a social property with e-commerce features, you should consider adding security that has the ability to detect both social fraud (fake likes & reviews, spam) and financial fraud (fraudulent transactions, identity theft and promotion abuse).

Prediction #2:  EMV cards & digital wallets to shift more fraudulent credit card attacks online.

2016 stands to be a record year for Card-Not-Present fraud. According to Javelin Research, CNP fraud is expected to grow from $10B in 2014 to over $19B in 2018 [4]. The increasing adoption of the new EMV cards and new digital wallet solutions, such as Apple Pay and Google Wallet, will have the unfortunate consequence of moving fraudsters online to monetize fake and stolen credit cards. While these new technologies are expected to reduce the amount of point-of-sale system fraud and counterfeit credit cards, they will have little to no effect in helping prevent fraudulent transactions online in card-not-present attacks.

In 2016, we expect to see a perfect storm that is bound to result in a high level of fraudulent transactions, powered by the following three trends: a significant increase in e-commerce websites and mobile apps [1,2,3], growing comfort amongst consumers to transact online given 45% of the world’s three billion users now buy things online [14], and the adoption of EMV cards and digital wallets. You can tip the scales back in your favor with new advanced online security analytics technologies to keep up with the increased credit card attacks.

Prediction #3:  Global O2O wars will increase the rate of user acquisition promotion fraud.

In 2015, we saw the war between online-to-offline (O2O) companies heat up as these services made huge investments to expand their footprint across US, China, India and other countries. For example, in an effort to gain marketshare, Uber has invested more than $2B to expand in China [6] and India [5]. Not to be outdone, rival car share service Didi invested over $2B in China and is also funding Lyft in the US and Ola in India [7].

Much of this money is intended for promotions to attract new drivers and users. Unfortunately, we have seen reports of a huge volume of user acquisition fraud, where drivers make hundreds to thousands of dollars per month in subsidies by registering multiple driver accounts and conducting fake rides [9]. The combination of strong financial incentive and the wide availability of mobile hacking tools such as mobile emulators and GPS location fakers create an ideal environment for fraud to continue to grow in 2016. As O2O companies are considering their global expansion strategies, they need to incorporate online fraud detection into their plans, so they can grow fast without being fleeced in the process.

Prediction #4:  Account takeovers will rise as result of continued large data breaches.

Image Source: Information is Beautiful, “World’s Biggest Data Breaches” [11]

We are now operating in the era of “peak data breach.” Whether it is your healthcare provider, your university, your favorite retail store or the government, your personal data has probably been stolen by now as a result of one or multiple of these high profile breaches. According to a recent study, the 600+ reported data breaches this year, including major attacks against Anthem, T-Mobile, and the Office of Personnel Management, have resulted in the theft of more than 175 million records [10].

What does this mean for 2016? The bad actors will look to monetize the stolen user credentials and credit cards over the next year via fraudulent credit card attacks. More seriously, they could launch account takeover (ATO) campaigns leading to identity theft that could drain bank accounts and buy fake goods on your dime. As a result, online merchants and consumers alike need to be on high alert for anomalous purchases and ATO activity in 2016, and take measures to detect these attacks before they do any major damage. Given the wealth of personal data that has already been stolen, the industry needs more attention to the prevention of bad actors from using these stolen credentials as opposed to just trying to stop the breach from occurring in the first place.

Prediction #5:  Cyber attackers will move to the cloud.

Businesses and consumers are not the only ones moving to the cloud. In 2016, we expect to see the continued migration of cyber attack infrastructure to the cloud, as cloud services become more pervasive and cost-effective. Cloud services such as AWS, Azure and Google Cloud are already victims as fraudsters register a massive number of free, trial accounts and use their computation infrastructure to conduct attacks. Other popular cloud services, including dedicated/virtual hosting (e.g. OVH, Quadranet, Ubiquity Hosting, etc.) and anonymous proxies (e.g. PureVPN, ZenMate), will also become increasingly common among online criminals. Cloud allows cyber attackers to significantly increase the number of attack campaigns they can conduct, attributed to the elasticity and compute capacity of these services, and allows them to easily hide behind legitimate network sources and thus remain anonymous [12,13].

In order to protect yourself from attacks launched from the cloud, you need to go beyond simple IP reputation databases and rules/models-based systems to detect these well-organized attack campaigns, since one cannot naively block traffic from the cloud infrastructure. In fact, in our observations, the traffic from cloud infrastructures are highly mixed with both good user and bad user activities. The industry needs to change to more advanced solutions that can distinguish malicious traffic emitted from cloud infrastructure precisely.

Secure Your Growth in 2016

2016 presents a great opportunity for growth for online businesses. However, to reap the benefits of this growth, one needs to have the right security in place. DataVisor’s mission is to help protect consumer-facing websites and mobile apps from cyber attacks by detecting these fraudsters hiding within their online services before they can do any damage. If you are interested in learning more about how DataVisor can help, contact us here for an online security assessment.

References

[1] Karissa Bell, “Twitter’s ‘Buy’ buttons: Now open to anyone.” Mashable 14 Sept 2015. http://mashable.com/2015/09/14/twitter-buy-buttons-stripe-relay/#FI.zIMWDiSq1
[2] Matthew Lynley, “Pinterest’s Tim Kendall Talks Monetization And Commerce.” TechCrunch 13 Aug 2015. http://techcrunch.com/2015/08/13/pinterests-tim-kendall-talks-monetization-and-commerce/
[3] Lucas Matney, “Facebook Adds Buy Button Integration As It Continues To Reinvent Pages.” TechCrunch 15 July 2015. http://techcrunch.com/2015/07/15/cant-buy-me-love/#.fj9sozz:HEfu
[4] Javelin Strategy & Research, “Point-of-Sale Card Fraud Predicted to Decrease as Card Not Present and New Account Fraud Increases.” Business Wire 11 Jun 2015. http://www.businesswire.com/news/home/20150611005284/en/Point-of-Sale-Card-Fraud-Predicted-Decrease-Card-Present
[5] Jon Russell, “Uber Is Investing $1B To Grow Its Business In India To 1M Rides Per Day.” TechCrunch 31 July 2015. http://techcrunch.com/2015/07/31/one-billllllllllllion/
[6] Jon Russell, “Uber Is Raising $1B To Crack China, Soon To Be Its Largest Market Worldwide.” TechCrunch 11 Jun 2015. http://techcrunch.com/2015/06/11/ubers-business-in-china-is-doing-a-lot-better-than-we-thought/
[7] Liyan Chen. “Meet Uber’s Mortal Enemy: How Didi Kuaidi Defends China’s Home Turf.” Forbes 23 Sept 2015. http://www.forbes.com/sites/liyanchen/2015/09/23/meet-ubers-mortal-enemy-how-didi-kuaidi-defends-chinas-home-turf/
[8] Liyan Chen, “Uber Wants To Conquer The World, But These Companies Are Fighting Back (Map).” Forbes 9 Sept 2015. http://www.forbes.com/sites/liyanchen/2015/09/09/uber-wants-to-conquer-the-world-but-these-companies-are-fighting-back-map/
[9] Josh Horwitz, “Fake drivers and passengers are boosting Uber’s growth in China.” Quartz 9 Jun 2015. http://qz.com/423288/fake-drivers-and-passengers-are-boosting-ubers-growth-in-china/
[10] Identity Theft Resource Center. “2015 Data Breach Category Summary.” 3 Nov 2015. http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReportSummary2015.pdf
[11] Information is Beautiful, “World’s Biggest Data Breaches.” 2 Oct 2015. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
[12] Eduard Kovacs, “Amazon Web Services Increasingly Used to Host Malware.” Security Week 16 July 2014. http://www.securityweek.com/amazon-web-services-increasingly-used-host-malware-report
[13] Robert Sheldon, “Cybercrime – the Dark Edge of the Internet.” Simple Talk 12 May 2015. https://www.simple-talk.com/cloud/security-and-compliance/cybercrime—the-dark-edges-of-the-internet/
[14] Statista, “Digital buyer penetration worldwide from 2011 to 2018.” http://www.statista.com/statistics/261676/digital-buyer-penetration-worldwide/[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]