A new fraud ring called Proxy Phantom is using sophisticated credential-stuffing attack methods to take over customer accounts for U.S.-based e-commerce merchants.
The latest research from digital trust and safety firm Sift demonstrates fraudsters’ relentless innovation and reinforces retailers’ need to double down on fraud protection as the holiday shopping season rapidly approaches.
The analysis, which Sift revealed last month, is part of a larger report based on Sift’s aggregate platform data and a 1,000-respondent consumer survey on the surge in account takeover attacks (ATO) over the last year.
Sift’s Q3 2021 Digital Trust and Safety Index details the evolving methods fraudsters employ to launch ATO attacks against consumers and businesses. The report details a sophisticated fraud ring that sought to overwhelm e-commerce merchants by innovating typical credential-stuffing campaigns.
The Proxy Phantom fraud ring used a massive cluster of connected, rotating IP addresses to carry out automated credential-stuffing attacks to hack user accounts on merchant websites.
Using more than 1.5 million stolen username and password combinations, the group flooded businesses with bot-based login attempts to conduct as many as 2,691 login attempts per second. The incoming traffic appeared to come from seemingly different locations.
“As the discovery of the Proxy Phantom fraud ring demonstrates, fraudsters will never stop adapting their techniques to overwhelm traditional fraud prevention, making suspicious logins look legitimate, and legitimate ones look suspicious,” said Jane Lee, trust and safety architect at Sift.
At the same time, poor consumer security habits, such as reusing passwords for multiple accounts, make it easy and continue to breathe life into the fraud economy. To bolster their digital defenses and secure customer accounts, merchants need to adopt a digital trust and safety strategy to stop these advanced attacks before they shatter consumer loyalty and stifle growth, she said.
Attack Details
Researchers relied on data from Sift’s global network of over 34,000 sites and apps and its survey. The report examines the growth and evolution of ATO. It integrates consumer perceptions and concerns surrounding account takeover attacks.
The highlights:
- Attackers used a large cluster of rotating IP addresses — which grew 50 times. The attackers paired traditional methods with credential-stuffing tactics to hack user accounts on merchant websites.
- The attack group used 1.5 million stolen credentials to flood businesses with bot-based login attempts to overwhelm corporate servers.
- Targeted merchants using rules-based fraud prevention methods are forced to play a supercharged, global game of “whack-a-mole.”
Merchants on Sift’s network were protected against the attacks, as Sift’s platform blocked the Proxy Phantom IP clusters, according to Jeff Sakasegawa, trust and safety architect at Sift.
Account Hacking Explodes During Pandemic
Sift’s Q3 report also revealed a staggering 307 percent increase in ATO attacks between April 2019, when many Covid-19 stay-at-home orders were enacted, and June 2021. This attack method made up 39 percent of all fraud blocked on Sift’s network in Q2 2021 alone.
Researchers so far have no clues as to the location or size of this new Proxy Phantom fraud group.
“We cannot definitively say where the attacks originated from because they used VPNs to disguise their locations, making the attacks appear as though they were coming from locations all over the world,” Sakasegawa told the E-Commerce Times.
Credential stuffing attacks are old hat. But attackers have added a few new tricks to better weaponize their digital arsenal.
“Credential stuffing attacks are widespread and common, but the use of automation to rotate through massive amounts of IP addresses in tandem with credential stuffing is a particularly sophisticated version of the attack,” he said.
While this is not the first time fraudsters have employed this technique, it is one that seems to be gaining traction because it makes blocking the attackers so much more difficult for businesses, added Sakasegawa.
Fintech Also Under Fire
Sift’s network data uncovered significant ATO risk for the fintech and financial services sector and its users. ATO attacks against the fintech sector soared 850 percent between Q2 2020 and Q2 2021. These attacks were mainly driven by a concentration on crypto exchanges and digital wallets, where fraudsters would likely try to liquidate accounts or make illicit purchases.
Additionally, nearly half (49 percent) of consumers surveyed as part of the report feel most at risk of ATO on financial services sites compared to other industries — and with good reason. Of the ATO victims surveyed, 25 percent were defrauded on financial services sites, validating the public’s sentiment that these sites are some of the riskiest.
Cascade of Chaos
The Sift Index also paints a detailed picture of the ripple effects of ATO attacks on businesses and consumers alike. Key findings include:
- Compromise breeds compromise — Almost half (48 percent) of ATO victims have had their accounts compromised between two and five times.
- ATO leads directly to brand abandonment — Seventy-four percent of consumers surveyed say they would stop engaging with a site or app and select another provider if their account was hacked on that site or app.
- The aftermath of an ATO attack — Forty-five percent of those who experienced ATO had money stolen from them directly, while 42 percent had a stored credit card or other payment type used to make unauthorized purchases. More than one in four (26 percent) lost loyalty credits and rewards points to fraudsters.
- Perhaps most worrisome, nearly one in five (19 percent) victims are unsure of the consequences of their accounts being compromised.
- Waning trust in e-commerce: One in five (20 percent) of consumers surveyed feel less safe shopping online today than they did a year ago.
“One of the most important takeaways from the report is that compromise breeds compromise when it comes to ATOs,” Sakasegawa said. “Companies should presume that some percentage of their customers have poor password hygiene. If that is the case, they need proper tooling in place to identify and prevent ATOs from occurring.”
Bad actors know that a successful login on one site likely means they can access others using the same credentials. He recommended that consumers think twice about reusing a password the next time they sign up for an account or are prompted for a password reset.
ATO Leads to Abandoning Brands
The Sift report found that ATO leads directly to brand abandonment. Nearly three in four (74 percent) of consumers say they would stop engaging with a site/app and select another provider if an account was hacked, noted Sakasegawa.
An ATO attack against a customer has a lasting impact on loyalty. It is imperative brands address the growing problem, especially ahead of the holiday shopping season when fraudsters can more easily fly under the radar within the surge in account activity, he added.
Machine Learning Needed for Protection
According to Sakasegawa, cyber protection is an arms race between businesses and fraudsters. The sustained growth of e-commerce makes it easier for fraudsters to target businesses and more challenging for businesses to protect against the increase in attacks.
“Fraudsters have the time, means, and motivation to attack and are more knowledgeable about the mechanics of digital commerce and the legitimate merchants they target,” he said.
Additionally, fraudsters use Deep Web forums such as Telegram to share successful ways of exploiting companies and customers. However, companies do not have the resources to have similar conversations with their peers on how to prevent exploits due to legal and disclosure reasons. That, in turn, makes it even more challenging for retailers to defend themselves, observed Sakasegawa.
“The only way to proactively fight against this sophisticated behavior is to leverage machine learning. ML is essential to not only identifying new trends but changing risk thresholds,” he offered.
Sakasegawa added that with an ML-first fraud prevention solution, fraud teams can spot trends before they become pervasive and proactively prepare for fluctuations. By ingesting purchases in real time, ML systems can quickly adapt to look at new signals to detect suspicious activity, making fraud prevention efficient without introducing undue friction for customers.