Business Web sites are facing an increasingly intense full-court press from cybercriminals – the aggregate cost of cybercrime annually, which includes prevention strategies, has exceeded $1 trillion.

Large-scale data breaches are savagely victimizing new accounts while account takeover attempts and credit card fraud has doubled, according to a fraud-data study in June 2013 .

A report by ThreatMetrix shows that Web fraud attacks endanger the full customer life-cycle: New account registration, authentication and payment transactions. ThreatMetrix ( is a provider of cybercrime prevention solutions. The study included the experiences of 9,000 the firm’s customers.

“Nearly one in every 10 new accounts opened online is done using a spoofed identity, and the incidence of account takeover attempts and online payments fraud have both doubled in a six-month period,” said Alisdair Faulkner, the ThreatMetrix chief products officer.

“Data breaches are imminent and given the increased sophistication of malware, organizations should assume that a material percentage of their customers and user accounts are either compromised or criminal and invest accordingly,” he added.

He said attacks on new account registrations using spoofed and synthetic identities saw the highest rate of attacks followed by account logins and payment fraud. About 10 percent of online services originate from a cybercriminal.

New account registrations include applying for new lines of credit, creating a profile on a social networking site or marketplace and enrolling in an authentication scheme.

Mr. Faulkner said the most common form of stolen identities is by human or bot-generated fraud attacks directed through proxies and Virtual Private Networks (VPNs) intended to disguise the true origin of the attacker. These bypass IP address-based geo filter blacklists that also have the downside of unknowingly blocking legitimate visitors.

“The economic impact of these attacks varies by industry,” he added. “However, the common thread is that without automated visibility into the true device, persona, relationship and global behavior, the only alternative is additional verification roadblocks put in front of legitimate customers and extended review and hold-out periods.”

Payments Fraud

Payments fraud attempts, which include online credit card transactions and money transfers, increased from 3.1 percent to 6.4 percent over the six months ending in March 2013.

Mr. Faulkner explained the trends:

  • Sophisticated credit card cyber gangs adopting banking malware, normally used to hijack bank accounts, to steal full credit card information from customers as a fake verification step when attempting to log into a bank account
  • Increase in percentage of digital goods sold by ThreatMetrix customers that historically have a higher incidence of attack
  • The increased availability and adoption of free and commercial VPN services and the growing use of Platform-as-a-Service (PaaS) providers by cybercriminals to set up ad hoc tunneling protocols. VPNs are favored by cybercriminals because they are impervious to proxy piercing technologies and undetected by traditional IP proxy detection services.

Account Takeover

Based on data taken from October 2012 through March 2013, ThreatMetrix customers saw account takeover attempts nearly double (168 percent). These types of attacks have traditionally focused on banking and brokerage sites, but have recently escalated across e-commerce sites that store credit card details and Software-as-a-Service (SaaS) companies that hold valuable customer data that do not yet have the heightened level of protection as banking sites.

ThreatMetrix has seen a rise in the sophistication of account takeover attempts using blended attacks to exploit companies that do not have an integrated solution for malware, device identification and bot protection.

They include:

  • Multi-stage malware exploits: Malware, typically using Man-in-the-Browser (MitB) Trojans, is used to extract login and setup verification credentials from a customer that is then used by a separate device or third party to avoid server-side MitB detection capabilities.
  • Multi-stage scripted attack exploits: Automated bot attacks test previously breached credentials from third-party sites, exploiting that many people reuse user names and passwords. After checking account balances or verifying whether an account has a stored credit card, a second attack is launched, typically done manually, to avoid any server-side bot detection.

Whew. So that’s more evidence that businesses need to be diligent in operating their Web sites and preparing with precautions and response philosophy.

Not only that, but most small businesses make you vulnerable to credit card fraud and identity theft.

From the Coach’s Corner, here are more IT resource links:

“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”

Richard Clarke


Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.