Case Studies

Humans versus bots

by Mark Rowe

Europe is seeing a noticeable spike in cyber attacks as the impact of the pandemic and job losses continues to take its toll. Although bot attacks still remain the number one attacking vector in Europe (88.1 percent), human fraud is emerging as a new growth area and is fast on the rise. This trend varied by industry with tech (40pc) and media (32pc) seeing the highest human-driven fraud. Human fraud also spiked in payment attacks on retail companies.

The more efficiently fraudsters can execute attacks, the higher the potential RoI (return on investment), and Arkose Labs’ latest report logged a surge of large-scale bot attacks capitalising on the digital transformation across industries, mostly linked to the pandemic. This never-before-seen uptick in human attacks is something businesses are being urged to prepare for in this latter half of the year, says the cybersecurity company.

While fraudsters still favour automation to deploy attacks cheaply, the volume of human-assisted attacks have increased dramatically since the second half of 2020. These types of attacks have been increasing the most in digital media (including social networks), gaming and tech industries. Areas of the world that have seen the greatest rise in human attacks are countries in Europe, North America, and Asia.

Kevin Gosschalk, CEO and co-founder of Arkose Labs said: “Whether they are taking over existing user accounts, or creating fake accounts for a variety of purposes, fraudsters expertly disguise themselves as legitimate users to abuse and monetise digital accounts. Human-powered attacks have been notoriously low in the past but now are becoming a legitimate concern as fraudsters circumvent increasing bot prevention with mal-intended humans.”

Organised operations of workers are deployed to attack at scale while keeping costs low and circumvent anti-bot defences. This trend could also indicate that many of those who turned to fraud after sudden job losses during the pandemic may have found this new line of work was profitable and continued doing it.

Lizzie Clitheroe, UK Research Lead at Arkose Labs said: “Organised fraud is fuelled by a complex shadow ecosystem, which provides the low-cost tools, data and resources needed to launch attacks on digital accounts and transactions at scale. Human labor is a vital component of this, and as the economic fallout of the pandemic continues, individuals are being actively recruited to help scale up attacks and bypass anti-bot defences.”

Social networks are a huge target, the firm suggests.

The report also indicated that there was a large number of human-driven attacks from North America – primarily driven by attacks on social media companies. Humans are required to launch scams on these platforms, which they do by sending phishing messages or malicious links to good users seeking to place malware on their devices or extract sensitive information, which can then be resold at a large profit.

Alongside this, the report has found a rise in an insidious new trend of bad actors hijacking trusted IP addresses to carry out attacks, to help avoid detection. This has been made easier by the explosion of new IPs created in recent years due to a proliferation of smart devices and the IoT – such as smart baby monitors, smart TVs and home security devices.

Kevin Gosschalk added: “The explosion of internet connected devices in homes over the last several years – including home security devices, virtual assistants and smart appliances – along with the enforced working from home mandate has provided fraudsters and other attackers with a plethora of new IPs to potentially hijack and misuse.

“Cybercriminals can hijack IPs by rerouting Border Gateway Protocols (BGPs) which are the standard routing protocol of the internet. Those intent on large-scale cyberattacks can then use a network of these compromised devices to launch an attack against a website or series of websites.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing