What Hackers Want More Than Your Credit Card Number

Account takeover fraud — which occurs when a cybercriminal gains unauthorized access to an online account — is growing rapidly, a new analysis by a major Canadian cybersecurity company shows.

Vancouver, British Columbia-based NuData Security, which predicts and prevents online fraud, analyzed more than 15.7 million login interactions from May through June and identified 882,340 as high risk or potential account takeover attempts.

“Account takeover is the new credit card fraud,” says Ryan Wilk, the company’s director of customer success.

The most common method of account takeover, he says, begins with obtaining a list of user names and passwords.

New on the Black Market

“Fraudsters employ a variety of techniques to obtain the personal and financial information typically needed to take control of an existing account,” Wilk says. “This can be as simple as Dumpster diving and looking through people’s mail to purchasing packages of Fullz on the Web black market.”

Get everything you need to master your credit today.

Get started for free

In Dumpster diving, a hacker obtains data about a user, so the hacker can impersonate the user and gain access to the user’s profiles or other restricted areas of the Internet. Fullz is a slang term used by hackers and data resellers for full packages of individuals’ identifying information, which may include a person’s name, Social Security number, birth date, account numbers and other data.

Nearly 60% of more than 500 million online account creations NuData Security analyzed from May through July “were flagged as high risk or fraudulent.” That percentage is a huge increase from 28% flagged as high risk or fraudulent from February through April.

An account creation is the act of opening a new account such as establishing a new user profile and an account on Amazon.com or eBay.

Statistics Point to New Threat

“We’ve seen that account creation fraud has increased by more than 100% since February 2015,” Wilk says. “These cybercriminals or bad actors are finding new ways to conceal their location. They are moving quickly from one IP address to another to steal valid credit card accounts, as opposed to cycling through hijacked credit card information based on lists stolen from databases.”

Nearly half of all account registration fraud attempted in May involved creating false accounts to deliver false product ratings, NuData Security’s analysis shows.

“While review fraud is on the rise, the techniques are getting more sophisticated, and the number was slightly higher than anticipated,” Wilk says.

“Credit card fraud is passé, and account takeover is the new credit card fraud,” he says. “Much like a virus reacts to a vaccine, hackers develop new ways to penetrate security systems as the old methods become ineffective. Shifting tactics is just one way hackers have become more sophisticated in their efforts to stay ahead of detection efforts.”

Fraudsters are moving beyond payment card details, Wilk says, and are instead targeting data such as Social Security numbers, addresses and bank account information.

“The more information criminals collect from an individual, the easier it is for them to actually commit fraud using that info,” he says. “That’s why the recent Office of Personnel Management breach (in which cybercriminals stole information about more than 20 million federal employees, contractors and others) was particularly concerning. The bad actors look for the path of least resistance and are becoming more sophisticated daily.”

Detecting the source of a cyberattack can be difficult because cybercriminals can launch online assaults from infected computers worldwide, Wilk says. From May through July, most attacks observed by NuData Security originated in China and the United States, he says. Other countries from which a large amount of “malicious behavior” originated were Saudi Arabia, the United Kingdom, Malaysia and Brazil.

“The U.S. is home to members of some of the world’s most notorious hacker groups, including Anonymous and AntiSec,” Wilk says. “China has a sophisticated network of hackers. Some are connected to the China’s military, though the extent is unknown, and the government and officials continue to deny China’s involvement.”

Developing countries’ bad behavior can be attributed to “an overabundance of technologically trained young people with low-paying jobs,” he says.

Businesses should protect themselves from fraudsters by implementing user behavioral analytics to help verify valid users, Wilk says. “By implementing user behavior analytics, fraud can be detected and predicted before it causes damage to a business.”

[Editor’s Note: Detection is the first step to stopping new account fraud or identity theft. You should check your financial accounts regularly for signs of fraud. You can also keep an eye on your credit reports and scores for signs of fraud. You can get free annual credit reports under federal law at AnnualCreditReport.com. You can also check your credit scores for free once a month at Credit.com.]