As Covid-19 drives a higher volume of transactions online, the dance between cyber criminals and security professionals has stepped up a beat. Enterprises are re-assessing the robustness of their systems, while bad actors are looking for vulnerabilities to exploit in the emerging new normal. At Shape Security, we process billions of transactions every week on behalf of some of the world’s biggest banks, retailers, government agencies and airlines.
Since early March, when the shelter-in-place guidelines started coming into force, we have noticed major spikes and collapses in online activity across a range of verticals. Traffic to online grocery delivery providers in our network is up 400%, and investment account log-ins have risen by 53%. Correspondingly, online travel bookings are down 75%, new payroll account registrations have been cut in half and, perhaps most interestingly, international money transfers have fallen by 35%.
These are unsurprising trends, as some sectors of the economy experience unprecedented demand while others remain in near-total lockdown. Less clear is whether the volume of attacks and malicious activity has increased in the wake of Coronavirus, and indeed if there is any direct link between the two. The data isn’t yet definitive, and in our experience there are too many variables in each case, like the application in question, the countermeasures in place, the monetisation scheme being pursued.
Nevertheless, it is important for any organisation that relies on applications to both understand how attackers are operating in the current circumstances, and to reconsider if their security measures are sufficient. Whether or not the volume of attacks are on the rise, we are seeing a definite evolution in the behaviour of cyber criminals, as well as some clear trends to be aware of.
As one example, attackers have been targeting portals that allow people to access Government finance and assistance schemes under the US Coronavirus Aid, Relief, and Economic Security Act. Every applicant needs to enter a Taxpayer Identification Number to proceed. As a result, attackers have been tapping into the workflow to run automated programmes that allow them to endlessly fish for, and then validate, real TINs, for sale or malicious use elsewhere.
Another prevalent act of fraud we are seeing is the targeting the quick service restaurant industry. Here, fraudsters are posing as discount providers on social media to place real orders with QSRs using stolen credit cards. The transaction proceeds as normal through their system and the delivery provider’s. Only when the chargeback occurs weeks later does the fraud become apparent, by which time it is too late to trace or recoup. The cost of this scam has run into hundreds of thousands of dollars per month for some companies in the industry.
What these examples demonstrate is the relentless adaptability of cyber attackers. When there are major shifts in consumer behaviour, such as the recent spike in online food orders, they shift their playbook to take advantage.
So, how can companies be equally agile in their response? The first step is to acknowledge the extent of the problem. One Fortune 100 customer came to us with the assumption that about 20-30% of their traffic was malicious. Our analysis showed that the real figure was 98%. This is a common problem, because a security operations centre will often focus on the noisiest IPs and miss the long tail of those contributing small volumes of malicious traffic.
The second point is to collect signals from your network, users and environment that will help you to identify automated and potentially malicious traffic. For instance, if you are looking at how users navigate an online workflow, signals will easily distinguish the keystrokes and mouse movements of a human user from the overly precise behaviour of a bot. They can also often tell the difference between a legitimate user and a manual fraudster. The latter, having become very familiar with the workflow, will typically navigate it more quickly.
Organizations also need to remember that attackers are a moving target. They will retool after countermeasures have been taken, and shift between web, mobile and API interfaces to seek out new vulnerabilities. As such, security teams need to watch closely how attackers respond to countermeasures to determine their next move. Some don’t even recognise that they are being blocked, while others quickly adapt.
The flexibility of attackers also points to the need not to rely excessively on artificial intelligence and machine learning. These are essential elements of any security toolkit, but it is also important to recognise their limitations. The raw signals detected by AI and ML systems will be full of both false positives and false negatives. You need trained people poring over that data as a crucial second line of defence, watching for anomalies and observing how attackers retool.
Finally, don’t forget user experience. A customer-facing business shouldn’t be overly reliant on tools like CAPTCHA that can inconvenience your real customers more than prospective attackers. This is a time of adaptation for everyone. Security is a clearly a priority that demands constant attention. Attackers are evolving fast in this new environment. Organisations across the world need to do the same to protect themselves and their customers.
By Dan Woods, Vice President of the Shape Intelligence Centre, Shape Security.