RSA Fraud Report: Newsjacking-Based Phishing on the RiseAngel Grant Analyzes Findings, Which Also Show a Surge in Mobile App Fraud
A recent news item leveraged to fuel a massive phishing campaign, she points out, was the relaunch of Canada's Interac payment network. Plus, she anticipates a rise in phishing that involves phony messages about the EU's General Data Protection Regulation now that enforcement has begun.
"We're already starting to see an uptick of phishing emails targeting fake GDPR alerts, [especially] privacy notification acceptance emails, because everyone's getting tons of those right now," she says in an interview with Information Security Media Group. "So yes, any kind of major news like that, cybercriminals tend to newsjack based upon that trend, and try to capitalize on that moment."
RSA's latest fraud report contains global fraud attack and consumer fraud data and analysis from the company's fraud and risk intelligence team for the quarter ending March 31. Among it's other significant findings, Grant says, is an ongoing surge in mobile app fraud.
In the interview (see transcript below), Grant discusses:
- The growth of phishing attacks in Canada;
- The three-year trend toward increased mobile app fraud;
- Swings in compromised cards discovered and recovered in Q1.
Grant leads the go-to market strategy, planning and execution for RSA's enterprise and consumer authentication, identity and access management, anti-fraud and threat intelligence product portfolios.
NICK HOLLAND: One of the first findings of the new report that I'd like to talk about is that Canada was the top phishing attack target in Q1. Why is that?
ANGEL GRANT: In the report, you'll see that over 48 percent of all fraud attacks observed in Q1 were phishing attacks, with Canada, the U.S., India and Brazil being the top countries targeted by phishing.
Canada was an interesting one. We're seeing 60 percent of all the phishing attacks that RSA's anti-fraud command center is tracking over the last six months have been targeting Interac, the Canadian interbank network.
What happened there was Interac relaunched in February, and at that time we saw cybercriminals using this as an opportunity to newsjack and try to reach out to the Canadian population to trick them to think that the emails they were sending were part of that relaunch of Interac.
HOLLAND: Enforcement of the EU's General Data Protection Rule began May 25. Based on that, are you expecting a similar increase in phishing attacks around GDPR to come up?
GRANT: Absolutely. We're already starting to see an uptick of phishing emails targeting fake GDPR alerts, [especially] privacy notification acceptance type of emails, because everyone's getting tons of those right now. So they're taking advantage of that.
It'll be interesting to see how that trends in our Q2 report that we'll be publishing in a couple of months. So yes, any kind of major news like that, cybercriminals tend to newsjack based upon that trend and try to capitalize on that moment.
Mobile App Fraud
HOLLAND: Moving on to another section of the report, which looks at transaction fraud, there seems to be significant growth over time in mobile app fraud. What's going on there?
GRANT: We're seeing that cybercriminals are moving away from desktops and moving into mobile apps and social networks, kind of like the rest of us are. Essentially, what we're seeing is mobile transactions are increasing, so over the past three years, we've got well over a 200 percent increase in mobile transactions originated. However, in parallel to that, we're also seeing a dramatic growth rate in fraudulent transactions over that same period - over 600 percent.
As more people are transacting with mobile, we're also seeing fraudsters follow and a dramatic spike in fraudulent transactions over that same period.
HOLLAND: And that's outpacing the growth of genuine transactions? It's not just fraud growing as a percentage of overall growth of apps that have a transactional component?
GRANT: That's correct. Some of the reasons for that is that it's much easier to conduct transactions through the mobile channel than on the web channel. These type of criminals can transact as they go. Also, organizations are starting to add new functionality to their mobile apps that cybercriminals are also taking advantage of as well. Right now, we're seeing many organizations are very behind in their fraud prevention strategies on securing the mobile channels compared to the investments that they've put into securing their web channels.
We're also seeing that the cybercriminals are leveraging new devices to conduct fraud so that they will be less likely to be tracked. So for example, a cybercriminal will use a burner phone. In Q1 we saw 82 percent of all fraudulent and ecommerce transactions originated from a new device. ... They're using a combination of new devices as well as new profiles. So basically they conduct new account fraud.
New account/new device combinations were 32 percent of all fraudulent transactions. They're using this as a way to create a mobile money mule account as part of the cash flow process.
Synthetic ID Fraud
HOLLAND: There's a lot of coverage and numerous research at the moment relating to the growth in synthetic identity fraud. Is that a core component of a lot of this?
GRANT: It definitely is. The amount of identities that have been compromised over this past year is so dramatic. Cybercriminals are taking advantage of that and leveraging that information to conduct new account fraud by creating these new accounts and using stolen credential information to conduct and create synthetic identities to minimize the amount of detection that potentially an organization can have when they're transacting.
HOLLAND: The report shows there's the huge fluctuation between each of the months [January, February, March] with compromised cards being discovered and recovered. So why is that, and is that typical with previous years?
GRANT: With credit card fraud, one of the things that we see typically year over year is that there is always a spike January, typically due to the holiday season, where cybercriminals take advantage of the peak of people using their credit cards, and then they use that as an opportunity to harvest additional credit cards and then buy and sell them in the underground.
In the report, you'll see that we recovered over 3.1 million unique compromised cards from a variety of different sources. The interesting thing, too, is a trend that we're seeing is cybercriminals are not just focusing on selling these cards on the dark web. They still do that, but because they have such a surplus of stolen cards and PII, they're now moving into emerging social media platforms and almost creating this whole new dark web moving into a gray web. So cybercriminals are buying and selling credit cards right there in plain sight on social media sites like Facebook, [Tencent] QQ, WhatsApp and Instagram, and leveraging these social media platforms to buy and sell credit cards right there.
So if you went to Facebook, for example, and typed in CVV, you would see a screen come up with credit cards that are stolen, right there, and you don't need to be this super-secret cybercriminal in a dark web forum anymore.
HOLLAND: So Angel, what are you predicting for the Q2 report?
GRANT: Well, we're going to continue to track newsjacking with phishing attacks and seeing if there's any other pattern spikes there.
But we're also noticing that cybercriminals are looking for additional ways to monetize and anonymize their activities. So we're interesting to see what happens in the world of blockchain and how they're potentially leveraging that, creating new fraudulent ecosystems and infrastructures to help prevent law enforcement from taking down their forums.