Cyber Matters: Seasonal Cybercrime will Accompany Holiday Sales

By Rob Sloan, cybersecurity research director, WSJ Pro

The increase in e-commerce sales, starting with the annual Black Friday bonanza and continuing through the beginning of new year, will bring a proportional increase in attempted fraud as cybercriminals seek to capitalize on a surge in internet traffic to cover their nefarious activity.

The seasonal spike in cybercrime takes different forms, but each exploits a key vulnerability: IT and security staff will be focused primarily on keeping online operations functioning to maximize holiday revenues. Armed with this knowledge, criminals conduct fraud with more certainty of it going undetected until retail activity returns to normal levels.

“Attackers tend to get more active when the internet gets more active and some of that activity will be designed to disrupt the online commerce,” said Josh Shaul, vice president of web security at Akamai Technologies Inc., a content delivery and cloud security company. “Online retailers are very busy during the holiday season and will have less capacity for identifying attacks, and less capacity for identifying the fraud that results from those attacks.”

Retailers often face extortion attempts accompanied with the threat of a denial of service attack that might flood a victim’s servers with junk traffic and knock them offline should they decide to not pay. Often, ransom demands vary depending on the prominence of the target. Mr. Shaul said he advises his customers not to pay, but added “I’m sure a lot of folks are paying the ransom, otherwise this industry wouldn’t have been around for 10 to 15 years.”

Denial of service attacks aren’t the only automated activity that can impact networks though. According to Mr. Shaul, automated “bots”--short for “robots”--are also a growing problem.

Research conducted recently by Mr. Shaul on 45 of Akamai’s largest customers across a number of industries analyzed 600 million login events over a 24-hour period. Almost two thirds of logins were identified as automated, much of it illegitimate. In most cases, the traffic was login attempts with credentials stolen from data breaches of other sites. Likely motivations include identity theft, unauthorized purchases, and pilfering from bank accounts.

Most companies with an online presence, especially small to medium-sized retailers, are unaware that this automated activity is taking place constantly, quietly consuming bandwidth, processing-power and costing money.

“Doing nothing is not a sustainable position,” said Mr. Shaul, who explained the impact comes in the form of login services slowing down for everyone, then accounts are locked for legitimate customers as a result of criminals trying incorrect passwords. “There is a real cost in terms of resetting passwords, the annoyance for customers and lost opportunity cost from customers going elsewhere to make a purchase.”

“If retailers accept those issues as business-as-usual, they get bitten on the fraud side,” he added, as criminals eventually gain access to accounts and seek to monetize the data they can access.

Service providers and cybercriminals have been locked in a game of cat and mouse as detection techniques catch up with bots and then fall behind again. Mr. Shaul said Akamai has given up trying to identify bot activity “because it is too hard.” Instead, the company now focuses on trying to truly understand what legitimate human activity looks like.

For example, code embedded in websites can report what software the visitor is using and record events generated through the user’s interaction with the mouse, touchpad, keyboard or gyroscope in the case of mobile devices. Mr. Shaul said artificial intelligence can then determine whether the action was the result of a real human movement.

“Potentially a robot could use artificial intelligence to generate brand new human-like movements, it will be technically feasible, but the cost of doing that is not worth the effort,” he said.

Mr. Shaul recommends executives ask whether their systems are able to determine whether activity is real or automated in certain use cases, such as at the time of account registration, account login or at the point of a business transaction. “The follow-up questions are ‘How good are we at it?’ and ‘How sophisticated does a bot have to be before we cannot detect it anymore?’” he said. For the majority of organizations, especially those outside the retail and finance giants, the costs will be prohibitive to develop these capabilities in-house.

If 2017 has been any indicator, we can expect to hear much more about bots in 2018.

~~~~~~~~~

To learn more about WSJ Pro Cybersecurity please visit www.wsj.com/procybersecurity

(Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors.)