21% of All Digital Traffic Was an Attack in 2021

Attackers are evolving their strategies to launch more volatile attacks. They pivot to high monetization opportunities and attack the areas where consumers spend more time and money. Digital businesses must prepare to fight evolving attacks in 2022 and beyond. They must remain agile and use robust tools to thwart imminent attacks and mitigate the damages

Bad actors are capitalizing on the ongoing digitization across industries to exploit areas of high consumer engagement. As consumers got comfortable relying on digital channels for practically every life activity – banking to grocery shopping – attackers seized the opportunities to leverage accounts for nefarious activities. These threats make our digital identities vulnerable to abuse.

Our latest 2022 State of Fraud and Account Security Report analyzed attack trends between 2020 and 2021 to reveal fraudsters’ latest tactics and targets. In 2021, the majority of enterprises embraced digital transformation, taking consumers’ digital engagement to an all new level. As a result of increased digital interactions, consumer actions were four times more susceptible to attacks in 2021 as against in 2020. New fake account registrations skyrocketed with a 300% increase in 2021 while 1 in 5 logins was an ATO attempt. This increased vulnerability was a direct result of enhanced monetization potential of digital accounts and was evident across industries.

In 2021, attack probability rose for five out of six industries

Our research reveals five out of six industries witnessed a spike in attack probability. Travel and entertainment were the worst hit. As travel resumed, attackers took advantage of scraping and inventory hoarding opportunities. They compromised a massive 45% of traffic on travel sites, with bots driving 95% of all attacks.

The rising popularity of online media and entertainment platforms attracted more in-platform spam and scam attacks, with online dating and social media platforms bearing the brunt. Attackers created numerous fake accounts – a 50% jump over 2020 – and used them for online abuse and to drive spam.

Online retail is perennially attractive to attackers and 2021 was no different. One in every four transactions in this industry segment was an attack; and every other attack was human-driven. This surge in attacks outpaced good traffic growth by almost three times.

Like online retail, financial services are another popular hunting ground for attackers. In 2021, financial services companies faced double the attacks they did in 2020. Credential stuffing plagued the industry and account takeover attempts drove nearly 70% increase in login attacks.

Attackers exploited technology platforms to abuse free trial benefits with fake new accounts. The attack rate on technology platforms jumped five times compared to that in 2020. These platforms were the number one target for attackers from China.

Surprisingly however, attacks on the gaming industry leveled off in 2021 after a major surge in 2020. There was a two-fold decline in attacks, possibly because online gaming platforms implemented their learnings from unprecedented attacks in 2020. That said, the gaming industry was nowhere near complete safety. Two out of three attacks targeted consumer login touchpoint. Credential stuffing attacks, fake account creation, and hybrid human-bot attacks challenged the fraud teams.

40% of all attacks in 2021 originated from Asia

Attackers transcend geographical boundaries to attack their targets. Earlier it was Russia leading the attacks, in 2021 Asia topped the charts. 40% of all attacks originated from Asia, with every other attack originating from China. Chinese attackers leveraged an ecosystem of tools and low-cost resources, to abuse free trials on technology platforms for crypto mining. Gaming was the other industry on radar in Asia.

In North America, travel and finance companies were the prime targets with 30% and 55% attack rates, respectively. Russia and Ireland in Europe were the hub of all attacks. European attackers extensively used bots to drive 90% of all attacks and their prime targets were social media platforms.

It is interesting to note that regional attack patterns depend on multiple parameters. Disparities in wages, cost of labor, and comparative currency values influence the level of incentives attackers can expect from an attack. For instance, attackers from a country, where currency is devalued, may target crypto or other digital currencies, gold, and loot from video games.

Expect more volatile attacks in 2022 and beyond

The abundance and availability of commoditized tools make it easier-than-ever for attackers to launch volatile attacks. They can choose to overwhelm defenses to make money from the attack volumes or launch low-and-slow attacks to go undetected. A single attack can consume nearly 80% of the traffic, which can overwhelm the servers.

November 2021 was a standout month as it was the peak commercial period. It was also the most dangerous month when bots ran amok and attackers capitalized on the busiest commerce period of the year. Attack rates also doubled. Attackers, however, didn’t restrict themselves to online retail. They attacked the financial services industry incessantly, which led to a three-fold increase in attack rate over the holiday season. On social media platforms, attackers created fake new accounts in hordes, causing one in every five social media accounts to be malicious.

As attackers evolve their strategies to launch more volatile attacks, businesses will face heightened risks. Typical fraud patterns and digital signals will become unreliable. Old fraud defense approaches will become obsolete. An outdated security posture will make digital businesses more vulnerable to imminent attacks, especially credential stuffing. Arkose labs researchers detected extremely volatile credential stuffing attacks, measuring more than 76 million attempts per week.

Digital businesses need robust tools to fight evolving threats

It is clear that attackers pivot to opportunities where they can monetize the most. In 2022, attackers will accompany consumers to where they spend time and money. Digital businesses should adapt to the evolving attack tactics and protect consumer digital touch points to ensure account security. They must prepare themselves to fight a myriad of attacks including automated, human click-farm-driven, or ‘cyborg’ attacks that are a combination of both. They must plan to thwart every possible attack and monetization opportunity. They must also be able to quickly adapt to high velocity attacks and mitigate the damages.

Digital businesses will need proper tools along with the adaptability and flexibility to ward off evolving attacks in the long term. To bankrupt the business model of fraud, they must include four key elements, namely: advanced bot detection, multi-layered consumer behavior analysis, an impenetrable challenge strategy, and actionable insights, in their fraud prevention strategy for the coming year.

In keeping with our mission to create an online environment where all consumers are protected from malicious activity, Arkose Labs helps global businesses protect their consumers across multiple touch points without disrupting the consumer experience.

In our latest 2022 State of Fraud and Account Security Report, we provide industry-specific insights into the evolving attack types and patterns. These insights along with the best practices can help digital businesses in their fraud prevention efforts in 2022 and beyond.To learn more, request your copy of the report here.

*** This is a Security Bloggers Network syndicated blog from Arkose Labs authored by Julianne Rose. Read the original post at: https://www.arkoselabs.com/blog/21-of-all-digital-traffic-was-an-attack-in-2021/