account takeover Source: Shutterstock.

The anticipated surge in web traffic to e-commerce sites has come with a fraud price tag, contributing to account takeover attacks as consumers shift to home delivery and payments move online.

The San Mateo, Calif.-based cybersecurity firm PerimeterX researchers pointed to Javelin’s “2020 Identity Fraud Study,” which showed financial institutions’ methods to identify and respond to fraud are no match for criminals’ high-tech schemes to hijack consumer accounts. Fraud losses grew 13% in 2019 to $16.9 billion even as instances of fraud fell from 14.4 million in 2018 to 13 million in 2019, which resulted in consumers facing $3.5 billion in out-of-pocket costs last year as criminals shifted their focus from card fraud to opening and taking over accounts.

Now in the midst of a COVID-19 response and stay at home orders, PerimeterX found similar attacks are occurring.

“We are entering another week of the social distancing effort to fight the coronavirus. We are seeing that along with the expected surge in web traffic to e-commerce sites, there is a marked increase in automated fraud, contributing to account takeover attacks.” Ameet Naik, security evangelist at PerimeterX, said. One case in point, he noted, is that the home goods industry has seen almost 90% of login traffic consist of ATO attacks. “The fraudsters are following the money.”

PerimeterX researchers indicated ATO attacks occur when someone gains unauthorized access to an online account. They suggested it is relatively easy to break into online accounts and monetize them. “Websites have become the new financial institutions for attackers, and that’s why ATO is big business for cybercriminals looking to cash in. Attackers seek to gain access to monetary information, such as credit cards, gift cards, loyalty points and marketplace credits from accounts that users might not monitor regularly.”

Fraudulent attacks involving imbursement often end up at the doorstep of financial institutions and payment providers.

Naik also pointed out, “Automated fraud, such as bot-driven ATO, which is on the rise, is sometimes more difficult to prevent because it requires real-time decision making and some fraud solutions take seconds instead of the milliseconds required.” He added businesses need to protect their customers’ account data and preserve their brand reputation.

Ido Safruti, founder and CTO of PerimeterX, outlined the threats in an ongoing blog series, “COVID-19: Data Tells the Story,” where he explained the cyberworld often reflects daily life trends and online activities. “The coronavirus disruption is no exception. Attackers always follow the money, and at times where the industry and the workforce operating technology and running websites are going through dramatic transitions, attackers identify new opportunities. We see this play out in the data we gather from our platform; it reveals interesting trends in web traffic and attack patterns.”

Safruti wrote, “Since January, overall web traffic across the e-commerce industry has remained fairly constant, but recently we have seen large traffic surges as well as increases in conversion rates in certain segments. In addition, the amount of malicious traffic in the e-commerce industry has increased.”

“Malicious traffic has increased noticeably in the overall e-commerce segment. This can mainly be attributed to a rise in scraping attacks to capture key price and inventory data,” Safruti wrote. “Our hypothesis is that increased competition for business in key segments has fueled scraping growth as competitors seek to capture more online customers with deals and pricing offers.” Scraping growth so far concentrates on hot items such as toilet paper, face masks and disinfectants.

“Now is the time to be more vigilant than ever since along with traffic spikes, web attacks are on the rise,” Safruti said in the blog. To combat these threats, businesses need to take on some prevention strategies:

  • Regularly analyze server log and traffic logs to look for noticeable changes.
  • Look for behavioral anomalies of ATOs, for example, visitors that go straight to the login page without clicking on any other links, or scrolling around the site, are likely bots executing an ATO.
  • Consider adopting automated web application protection technologies that can leverage sophisticated machine learning engines to spot emergent anomalies in real time and that block malicious visitors from scraping or attempting ATOs.