Over the past year, there has been a sharp rise in automated fraud attacks against financial institutions of all sizes. The first cyberattack using AI was detected in India, an attack in which machine learning algorithm was used to study patterns of normal user behavior within a company’s network and then emulate human behaviors to get access to valuable data. This incident is an indication that fraud attacks are becoming ever more sophisticated and 2018 is poised to be the year of automated cyberattacks.
Below, we explain two of the most common technologies behind mobile automated fraud attacks that affect banks and financial institutions.
Emulators and Fraud
Emulators are software simulations of physical devices that have many legitimate uses, but like all technology they can be used by cybercriminals to commit fraud. An Android OS emulator, Bluestacks for instance, is a legitimate simulator that is often used by software developers to test their programs. However, emulators can be easily abused by fraudsters and threat actors.
So how do fraudsters utilize emulators to commit fraud? For example, a fraudster can run multiple emulators on the same application and then use stolen credentials for account takeovers. Since emulators act in exactly the same way as physical devices, fraudsters can simulate touch and user behaviors - in fact, they can imitate anything.
Emulators are attractive to fraudsters since it is much easier to work on large scale attacks from a desktop rather than a mobile screen. Emulators allow fraudsters to easily run multiple instances of applications, helping them to rapidly scale fraud attacks. Another key advantage of using a mobile device emulator is that emulators can easily bypass device ID blacklists: once a simulation instance is blacklisted, it is simply binned and a new, whitelisted copy is generated. Therefore, threat analysts can no longer rely solely on unique device IDs to differentiate between real users and automated fraud attacks.
For banks and financial institutions it is extremely important to identify when a traffic is coming from an emulator or a real user since the use of an emulator to access a mobile application suggests high risk for fraud.
Bots: Taking Fraud Automation To The Next Level
Fraudsters often go beyond emulators and write sophisticated scripts to simulate the actual usage of an application, not just the medium itself. Such scripts can run on emulators or on actual physical devices. By emulating user activity and behaviors such as touches and swipes to attempt to crack through safety systems, hackers essentially take fraud automation to the next level. Clever bots could come very close to simulating real user behavior, allowing attackers to run numerous simultaneous attacks automatically.
Malicious bots can be highly sophisticated and difficult to identify. Bots can easily take over users’ devices by infecting them with malware, steal user credentials for the purpose of fraud and eventually launch automated fraud attacks from those devices without users’ knowledge. Millions of mobile devices are infected with malware and work together in massive networks or “botnets” to perform, among other tasks, bank fraud by posing as actual human beings.
For many financial institutions, traffic generated by bots (aggregators, scrapers, crawlers) can account for up to 40-60% of their overall website traffic. With the rise in mobile traffic, the use of mobile bots by threat actors is increasing as well. What appears to be real user interaction could in fact be an automated fraud attempt. It is useful here to deploy software that can distinguish between human behavior and robotic behavior.
Putting A Stop To Automated Fraud
Financial institutions are not new to automated fraud attacks. Yet these tools are getting ever more sophisticated and CISOs and other security personnel should always stay watchful of the latest trends and risks in the automated fraud sphere.
The threat landscape is changing. With the rise in mobile traffic and the increased use of mobile banking applications, the threats posed by mobile channels are growing as well. The ability to distinguish between real human activity and automated software on mobile devices with a high level of accuracy is a must for any fraud prevention technology. Behavioral biometrics is a promising avenue to address the problem of automated fraud attempts. By combining hundreds of unique behavioral parameters into accurate user profiles, behavioral biometrics makes simulating user activity an extremely difficult task for an attacker.