New report from RSA Fraud & Risk Intelligence finds fake profiles and throwaway devices are transforming social media into a cybercriminal marketplace
RSA Security has today released its Q1 2018 Fraud Report, providing analysis of consumer fraud data from the RSA Fraud and Risk Intelligence team. The report offers a snapshot of the cyber fraud environment from behind enemy lines, showing that the number of fraudulent transactions originating from a mobile app during the quarter has increased by 200 per cent since 2015. Analysis from the team also indicated that abuse of social media platforms is a growing problem, with social media replacing the dark web as the top hacker marketplace.
Key stats include:
- ‘Appy hunting – the proportion of fraudulent transactions carried out on a mobile app has jumped from just 5 per cent in 2015 to 39 per cent in the first quarter of 2018 – the volume of fraudulent transactions has risen by 680 per cent overall and by 63 per cent since Q1 2017
- Down goes the desktop – use of traditional web browsers for fraudulent transactions is on the decline, dropping from 62 per cent to 35 per cent since 2015
- Burner phones rife – 82 per cent of observed fraudulent e-commerce transactions originated from a new device in Q1 2018, as hackers try to avoid detection
- New profiles and devices used for cash out – Fraudsters used a new account and new device in 32% of all the fraudulent transactions seen during the quarter, suggesting that many are attempting to use stolen identities to create “money mule” accounts as part of their cashing out process.
- Phishing remains at #1 for cyber criminals – despite being one of the oldest online fraud tactics, phishing accounted for 48 per cent of all fraud attacks observed in Q1 2018
- Trojans still siphoning credentials – financial Trojan malware was present in one in every four fraud attacks observed in Q1 2018
- Cards being compromised – RSA recovered more than 3.1 million unique compromised cards and card previews from reliable online sources in the quarter – these all include CVV numbers.
“There has been a sharp rise in the volume of legitimate transactions carried out over mobile apps, so it’s only natural that hackers have followed suit in targeting mobile channels for fraud,” commented Daniel Cohen, Director at the RSA Fraud and Risk Intelligence Unit. “Unfortunately, many mobile apps fail to build security from the ground up. This means cybercriminals and fraudsters are able to slip through the cracks, hijacking mobile applications and siphoning off credentials and funds. As mobile-related fraud continues to grow, consumers and businesses alike need to be aware of the risks.”
Mobile’s influence doesn’t stop with malicious apps, the increasing availability of social media on mobile devices has created a thriving cyber-criminal ecosystem, with more than 4 out of 5 hackers using new devices to carry out fraudulent transactions and avoid being caught.
“Social media provides the perfect control station for cyber criminals, who can easily create profiles using fake details to operate on the platforms before collaborating with other fraudsters in closed groups, or peddling stolen wares in online marketplaces,” explains Cohen. “Social media’s scalability, anonymity and reach is providing cyber criminals with the perfect disguise; they can jump between accounts and devices at will, rarely using the same device twice. This makes it much easier to dodge the authorities and continue scamming. Reddit has recently banned a number of subreddits dedicated to fraud, where hackers were exchanging contacts, advertising services and sharing reliable sources of Dark Web fraud forums.”
In light of these findings, RSA has provided a number of recommendations to help consumers and businesses alike avoid falling victim to cyber fraud:
- The devil’s in the download – with one in 20 fraud attacks associated with a rogue mobile app, people must practice caution when downloading new apps, making sure to verify the publisher and pay close attention to what permissions each app requests
- It’s who you know – avoiding clicking on links in text messages or emails from unfamiliar senders will significantly lower the chances of having bank details stolen, or malware being installed on devices
- Safe housekeeping – smaller purchases will often be made first to test the waters, so monitoring bank accounts for suspicious purchasing activity is vital to catch fraudsters early in the act
- Educate yourself and your employees – free initiatives such as ActionFraud offer a number of helpful tools to keep consumers safe, while the Cyber Essentials scheme offers a similar service to businesses
- Create a device identification process for your business – take a business-driven approach to security by linking device identification to a clear risk strategy e.g. ask users on new devices to re-authenticate to reduce the risk of fraud
“We all need to take a share of the responsibility for reducing and preventing fraud – from the consumer, through to the banks and social media platforms. After all, fraud is not going away any time soon and can be very costly, to individuals and businesses alike,” explains Cohen. “We need to get better at spotting it, by being more aware of it. Social media and mobile devices have made it easier than ever for fraudsters to be successful, but there are often tell-tale signs that something is up. Stay vigilant and don’t always trust what you see online!”
For more information, you can download the full Q1 2018 Fraud Report here.