Earlier this month, the Q1 Cybercrime Report from ThreatMetrix revealed that in the first quarter of 2018 alone, ecommerce services suffered as many as 820 million bot attacks, thereby ensuring that attack growth out-paced transaction growth by some 83 percent in the period.
Of over a billion organised bot attacks that were launched on ecommerce merchants in the first quarter, 10 percent came from mobile devices. This was mainly because 43 percent of all transactions took place via mobile devices, thereby making them a particulate target for fraudsters.
In a fresh report that analyses consumer fraud data for the first quarter of 2018, RSA Security has revealed that fraudulent transactions originating from a mobile app rose by 600 percent since 2015 and 39 percent of all fraudulent transactions during the quarter were carried out on mobile apps.
In fact, the use of mobile apps to carry out fraudulent transactions has become so commonplace that the use of traditional web browsers for fraudulent transactions has gone down from 62 percent in 2015 to just 35 percent this year. 82 percent of all fraudulent transactions using mobile apps were carried out using burner phones so that investigators could not identify such fraudsters.
To detect and prevent the use of burner phones for carrying out fraudulent transactions, RSA Security suggested that firms should implement accurate device identification and should adjust their risk policies accordingly to minimise false positives and customer friction during a login or transaction event.
"There has been a sharp rise in the volume of legitimate transactions carried out over mobile apps, so it's only natural that hackers have followed suit in targeting mobile channels for fraud. Unfortunately, many mobile apps fail to build security from the ground up. This means cyber-criminals and fraudsters are able to slip through the cracks, hijacking mobile applications and siphoning off credentials and funds," said Daniel Cohen, director at the RSA Fraud and Risk Intelligence Unit.
"As mobile-related fraud continues to grow, consumers and businesses alike need to be aware of the risks," he added.
Javvad Malik, security advocate at AlienVault, told SC Media UK that mobile apps remain a booming area as people continue to use their mobile devices for all manner of activities in both their personal and corporate lives.
"In the rush to be first to the market, many companies overlook security considerations beyond what is needed to get an app into the official store, leaving it exposed to be taken advantage of. Both app developers and app store providers have a responsibility to ensure security is taken fully into consideration and rigorously tested before being made available to customers," he said.
In its report, RSA Security also revealed that online fraudsters are "increasingly migrating to social media to communicate, trade information, advertise their services, and even create virtual storefronts to sell stolen data". Figures released by the firm indicate that social media is slowly but steadily replacing the dark web as the top marketplace for hackers.
Even though Reddit has banned numerous subreddits that were used by fraudsters to trade stolen data, fraudsters have moved to other social media platforms to resume their covert activities.
"Social media provides the perfect control station for cyber-criminals, who can easily create profiles using fake details to operate on the platforms before collaborating with other fraudsters in closed groups, or peddling stolen wares in online marketplaces.
"Social media's scalability, anonymity and reach is providing cyber-criminals with the perfect disguise; they can jump between accounts and devices at will, rarely using the same device twice. This makes it much easier to dodge the authorities and continue scamming," Cohen added.
"There is a thriving fraud business happening on most major social media sites that is going completely unnoticed. Organisations need to be monitoring social media for fraud threats targeting their business, or for those who lack the resources, consider contracting with a vendor who specialises in cyber-intelligence services," said the RSA Security report.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout