The Automation of Fraud Attacks
The need for automation of fraud attacks
Legitimate enterprises take advantage of automation to handle repetitive, yet business-critical tasks. They pay top dollars for skilled engineers to build and maintain automated business logic. Fraudsters do the same and commonly leverage botnets to automate part of the workflow that will lead to a successful fraud attack. I even occasionally see legitimate-looking job ads with very competitive salaries, targeting employees of companies that offer bot management products.
Over the years, fraudsters have perfected the art of automation of fraud attacks and on occasion, they go as far as taking advantage of artificial intelligence. Automation is commonly used in the following use cases:
- Credentials stuffing, also known as credentials enumeration or account checking, is one of the steps that can lead to a full account taken over
- New accounts creation, which are then reused for various fraud schemes
- Gift card enumeration attack against a gift card balance application on an eCommerce web site to steal the credits available
- Posting Spam content on a forum or review boards
A successful attack on the above use cases requires sending tens of thousands of requests, which cannot realistically be done manually in a cost-effective manner. Just like any regular business, fraudsters always look for ways to scale their operations to maximize their profit.
Botnets business logic
Botnet sophistication has continuously evolved over the years to defeat bot management or fraud detection products that are now commonly protecting major websites’ most critical endpoints. Global botnets with tens of thousands of nodes with each node sending a limited number of requests per hour (or per day) closely mimicking a legitimate user behavior have become the norm.
Fraud detection products like Arkose Labs deploy JavaScript on the client-side that collects attributes about the browser and the device, often referred to as a fingerprint. The data collected is evaluated on the server side to differentiate the good from bad traffic. One of the most common techniques fraudsters implement in their botnet to defeat detection is to randomize some of these attributes….