The Fraudster Trifecta
Today, almost every company website and app use passwords to authenticate customers. Credit unions are no different with their requirements for strong passwords, authentication challenges, enhanced security measures such as multi-factor authentication, and blocked usage of easily obtained data such as date of birth as a password. In addition, members are prompted to change their passwords at intervals such as 30 or 45 days. These security protocols, however, are often a point of frustration for members. With so many passwords to manage, they will often use the same easy-to-remember password across multiple sites.
Consider these statistics: 71% of accounts are protected by passwords used on multiple sites. A single password, on average, is used to access five accounts. 57% of people who have already been scammed in phishing attacks haven’t changed their passwords. And 23 million account holders use the password “123456”. For these reasons, scammers are constantly working to obtain login and password information through phishing attacks, malware, and the purchase of user login credentials on the dark web. They know that one stolen or purchased username and password combination will likely work on any number of other websites. Like any other business, fraudsters are looking for economies of scale. They want obtained usernames and passwords (especially if they have paid for them on the dark web) to yield the highest revenue, so they use tactics to create large-scale comprehensive attacks such as credential stuffing, bot attacks, and VPN attacks. These strategies create a fraud trifecta because they can be combined or layered to cause chaos and maximize the payday harvested from their victims.
Credential Stuffing
Fraudsters have been known to use up to 1.5 million stolen credential sets in an automated single attack to gain access to consumer accounts. This type of cyberattack occurs when scammers harvest credential-sets through hacking or purchasing them on the dark web, and then try to authenticate as many of those credential-sets as possible in some unsuspecting company’s digital platform before fraud alerts are triggered. The “stuffing” refers to the rapid multiple attempts that try permutations of the purchased data. For example, maybe the user has since reset the password, replacing a question mark with an exclamation point. What the user thinks is a subtle change to protect the account can be instantly discovered by a permutation routine in a credential stuffing attack. Once inside, scammers quickly drain accounts of all available cash or use the stolen data to make purchases.
Besides running password permutation routines, scammers will often use technology to simulate IP addresses from different geographic locations (all in rapid succession) to overwhelm typical digital platform security defenses.
Bot Attacks
These are complex automated web requests designed to disrupt a website’s operations. In this type of attack, scammers remotely control devices that have been previously infected with malware to target a specific website or app with traffic. These zombie bots can be controlled using basic DIY botkits, where hackers use open-source developer tools and services available on the Dark Web to execute bot attacks. Bot attacks can also be a sophisticated network of bots (botnet) with millions of infected computers to launch high volume Credential Stuffing or Distributed Denial of Service (DDoS) attacks on websites to steal data.
In 2021, Cloudflare detected and mitigated the largest botnet attack in history when they detected a 17.2 million request-per-second DDoS attack from 20,000 bots in 125 countries. Since machines compromised with malware are a major contributor to bot attacks, consumers and companies need to be vigilant in ensuring their operating systems and anti-malware software are up to date. Check out our February Industry Connection blog for more information.
VPN Attacks
For many organizations, VPN networks helped solve critical enterprise security concerns for employees working from home during the pandemic. However, criminals are exploiting vulnerabilities within the most popular VPNs. Scammers are on the hunt for companies who have left their VPNs open to compromise. In Q1 2021, there was a 1,916% increase in attacks on Fortinet’s SSL-VPN and a 1,527% increase in attacks on the Pulse Connect Secure VPN. When scammers gain access to a VPN, they can extract confidential information and deploy ransomware to extort payment from the company to buy back access to its data.
Connect’s partnership with enterprise security vendors can thwart the various forms of fraud. These systems create a sophisticated defense barrier by monitoring digital platforms for (1) failed password attempts, (2) the aggregate number of login attempts in a specific timeframe, (3) widescale requests from geographic IP addresses that rarely request access to the system, and (4) requests from anonymous proxy servers which can carry malicious traffic. Enterprise security systems run multiple automated scripts for these types of anomalies and shut the requests down before they reach the protected business’s data environment. The best offense is a good defense.
The Need for a Protective Barrier
Are there residual benefits to having a proactive enterprise security system? Absolutely. Remember the comment earlier about fraudsters wanting economies of scale? If they launch an attack and an enterprise security program thwarts it, they will move on to other businesses with weaker security protocols. They are after the money, the low-hanging unprotected fruit.
The information we have covered in this blog is a lot to digest. The bottom line is that fraudsters are using multiple tactics to access an organization’s data environment or their partner data environments (third parties that provide various services) to steal money or card data for fraudulent purposes. And, with ransomware attacks, the fraudsters may also try to extort the organization to pay a hefty price for the return of their data to avoid potential reputation risk, which can result in public distrust and regulatory scrutiny.
It is important to reiterate that attacks mentioned in this blog can be used in tandem. By doing this, the fraudster gets the organization’s resources to focus on a credential stuffing attack, for example, while the fraudster actively searches for VPN vulnerabilities to exploit. Imagine trying to stop a roof leak. While focusing on one leak, another leak (or leaks) may go undiscovered. One strategy would be to place buckets under each leak, but those buckets can eventually overflow if not constantly monitored, and the aggregate overflow may cause the roof to collapse. By placing a tarp over the entire roof, you provide a barrier that will stop both the current leaks and also the potential for new leaks. A properly implemented and managed enterprise security system can be that protective layer against individual and layered fraud attacks.