ThreatList: Half of All Social Media Logins Are Fraud

social media fraud report

Fraudsters are using social media to spam, steal information, spread propaganda and execute social-engineering campaigns.

More than half of logins (53 percent) on social-media sites are fraudulent; and 25 percent of all new account applications on social media are fake, according to a recent analysis. Those numbers far outstrip the overall rate of 10 percent of interactions being fraudulent.

The Arkose Labs Q3 Fraud and Abuse Report found that social-media platforms see a variety of attacks from bots as well as malicious humans, including account takeovers, fraudulent account creation, spam and other abuse. More than three-quarters (75 percent) of attacks on social media are automated bot attacks, according to the analysis.

Unlike other industries, account-takeover attacks are more common for social media, with logins twice as likely to be attacked than account registrations. This is driven by the fraudsters looking to harvest rich personal data from the accounts of legitimate users, according to Arkose.

“The extremely high attack rate on social-media logins is indicative of the value placed on the data fraudsters extract from compromised social accounts,” said Kevin Gosschalk, CEO of Arkose, in a media statement. “Because more than 50 percent of social media logins are fraud, we know that fraudsters are using large-scale bots to launch attacks on social-media platforms with the goal of disseminating spam, stealing information, spreading social propaganda and executing social-engineering campaigns targeting trusting consumers.”

From an overall digital fraud perspective, Arkose examined more than 1.2 billion transactions spanning account registrations, logins and payments from financial services, e-commerce, travel, social media, gaming and entertainment industries, and found that one in 10 transactions overall are malicious, ranging from automated bots to humans carrying out scams.

Automated attacks represent the bulk of the traffic, according to the report, ranging from large-scale account validation attacks, to bots blocking seats on an airline to scripted attacks that scrape user data and inventory.

This varies by geography and industry though: Further analysis found that most attacks from China (59.3 percent) are human-driven, which is more than four times higher than the U.S., Russia, the Philippines, and Indonesia.

Unlike bot traffic, inauthentic human traffic is harder to detect as human behavior is unpredictable and highly nuanced.

“Sometimes fraudsters have to rely on humans to carry out attacks; these attacks cost more, but the value they can extract from the attack makes the investment worthwhile,” said Vanita Pandey, vice president of strategy at Arkose Labs, in a media statement. “Developing economies are quickly becoming fraud hubs because they have easy access to sophisticated tools, cheap manual labor and good economic incentives associated with online fraud.”

The report pinpointed some interesting vertical trends: For one, payment transactions in the travel industry are 10 times more likely to be attacked; and, the retail industry experiences the highest volume of human driven attacks, with more than half of attacks being human-driven.

The travel industry attacks are mainly coming from automated bots looking to block inventory, leading to denial of inventory attacks or a significant increases in ticket prices. They’re also looking to steal hard-customer loyalty points, which can be liquidated into cash. Overall, Arkose Labs found that almost 10 percent of all login attempts on travel sites and 46 percent of all payment transactions for travel are fraud.

As for retail, the sector is on the cusp of the most-attacked time of the year.

“As we head into the holiday season, this is critical for the retail industry, which sees high volumes of seasonal and human driven fraud,” said Pandey. “Right now, fraudsters are actively preparing to launch large-scale attacks on retail vendors during the holidays by validating and testing stolen gift cards and identities compromised in recent breaches. The long-term solution to this problem is not rooted in applying new defenses — because fraud will continue to evolve — but rather to break the economics of the attack and eliminate a fraudster’s financial incentive.”

Meanwhile, the technology segment is heavily targeted by human click-farms and sweatshops, which employ a large group of low-paid workers hired specifically to make fraudulent transactions or create fake accounts, the report found. In fact, 43 percent of all attacks on tech companies are human driven and account registrations for tech companies are four times more likely to be attacks than logins.

According to the report, the U.S., Russia, the Philippines, the UK and Indonesia have emerged as the top originators of attacks, with the Philippines as the single biggest attack originator for both automated and human-driven attacks. The U.S. is a distant second.

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles