Sophisticated Attacks Shift Away From FIs in Second Half of 2020: NuData

Following a surge of sophisticated cyber-attacks on financial institutions during the first half of 2020, the industry saw this category of schemes that closely resemble human behavior shift to other industries – namely retail. That’s according to a new report on cybersecurity trends from NuData Security, a Mastercard company, titled “2020 H2: Fraud Risk at a Glance.”

The percentage of attacks against financial institutions classified as sophisticated dropped by 65% from the first to second half of 2020, while sophisticated attacks on the retail sector grew from 38% to 76% during that time period, according to NuData. “Our H1 report warned of a new type of attack on the rise – sophisticated scripts that emulate human behavior to evade detection,” the report stated. “Our H1 report predicted this focus was likely to shift as attackers test their new techniques against industries that are perceived to have weaker security protections. As predicted, the percentage of attacks on financial institutions that were sophisticated dropped to 31% as attack volumes in the sector declined overall.”

In a sophisticated automated attack, cybercriminals imitate human interaction by running advanced software scripts that display common browser or application behavior, making the attack harder to detect, NuData explained. In a basic automated attack, bot behavior is often evidenced by easy-to-detect signs such as repeated use of the same IP address or a lack of JavaScript execution.

In addition to writing advanced software scripts, cybercriminals are increasingly using other humans to pull off lucrative attacks, the report noted. NuData recorded a four-month spike –350% higher than the year’s average – in human-driven attacks on high-value accounts within the financial industry. “As the use of bot detection tools becomes more widespread, this tactic is growing in popularity,” the report stated, noting that as an example, cybercriminals “employ human farms who are paid small sums to complete online tasks, such as solving CAPTCHAs, posting reviews or creating new accounts.”

There are subtle differences between human-driven attacks and legitimate online human behavior that companies should watch out for, the report said. Signs that a user could in fact a human farm worker being paid by a bad actor include: Filling out online forms at a high speed, displaying a lack of familiarity with the personal data being entered such as name and street address, and frequent use of copy-paste in an online form.

According to Dave Senci, vice president of product development for NuData, the report’s findings ”bring to the forefront an often-avoided truth that a determined attacker is willing to put extra effort in to bypass a bot barrier, even if that means making the attack a bit more expensive by paying humans to bypass those bot barriers.”

He added that credit unions and other financial institutions hold some of the most valuable accounts for attackers, as their accounts give access to money; however, financial institutions are lucky in that 63% of them are planning on transforming their authentication solutions in 2021, according to 2020 research from Aite Group. “This means adding additional security measures like behavioral and passive biometrics tools that can detect anomalous behavior in real time even when the threat comes from a human,” Senci said.

Financial institutions should also note that because of the consumer shift to online banking during the pandemic, online login traffic increased by 10% year over year in the financial industry in 2020, leading to an increase in application fraud, NuData said. This type of fraud is expected to cost financial institutions $4.1 billion by 2023, according to the report.

Senci said application fraud, which includes DDA and credit card application fraud, is a very complex problem with many layers, but for credit unions looking to defend themselves, it comes down to making these fraudulent attempts challenging and more expensive for attackers. “The first thing for credit unions is to make sure this fraud is flagged accurately,” he said. “For example, was a confirmed fake account made to create a synthetic identity, or was it made to move illegal funds as a mule? Tagging fraud accurately is the most important step to measure the problem. Additionally, behavioral analytics and passive biometrics tools can help prevent many of these fraudulent applications or account openings as they flag suspicious behavior from the start.”

NuData’s report also revealed the following:

• For the financial services industry, the percentage of successful credentials used in attacks fell from 0.40% in the first half of 2020 to 0.09% in the second half of 2020.
• Across all industries, the average percentage of successful credentials per attack nearly doubled from 1.4% in the first half of 2020 to 2.6% in the second half of 2020.
• Cybercriminals reused IP addresses less in the second half of the year compared to the first half (55% versus 77%) as security tools have become better at identifying suspect IP addresses.
• Concerned about shipping delays, consumers began their holiday shopping earlier in 2020, which led cybercriminals to launch attacks earlier than usual as well.