Heads or tails? Millions of viewers are willing to put money on that coin flip of a question in hopes of turning a profit during the NFL’s Sunday championship game, the most-watched annual event in America.
The NFL reigns supreme when it comes to sports betting, their season finale is the pinnacle of that. The pageantry of the season-ending main event for the NFL attracted upwards of 16 billion dollars in wagers, more than double last year according to The Daily. From traditional bets on the game outcome, to unique prop bets like the length of the national anthem or the first song performed by halftime artist Rihanna, the possibilities for betting are endless. All of this can be done from your own phone as you enjoy the excitement of the biggest game day of the year.
While humans debate commercials, eat dip, cheer for touchdowns, and wait for their wagers to be decided, their rivals across the internet betting tables are persistently trying to access their privileged information for personal gain. HUMAN is dedicated everyday to stopping attacks, because of this we were honored to spend this season protecting a popular sports betting app. Stopping fraudsters is our game of choice and we had an undefeated season. This entire NFL season we protected our customer from account takeover, fake account creation, and credential stuffing attacks - without distributing user experience.
HUMAN’s Satori Threat Intelligence & Research team did a deep dive into just how much the online sports betting exchange was being targeted by these attacks from the start of the NFL playoffs, all the way up to Sunday’s championship game and how HUMAN was the MVP (Most Valuable Protector).
Let's start with who we are playing against.
Fraudsters: Those who see moments like this in sports, concerts, or other major events as a way to take advantage of excitement and popularity. They are constantly at work using bots to gain an edge, and more moving money equals more opportunities for them.
Most bets are made via sports betting apps, which make betting easy and efficient. However, the popularity of sports betting and frequent transfer of money make it a prime target for malicious attacks. This is a tactic used by fraudsters to essentially "play with house money." Through unauthorized access to a person's online account using credential stuffing and account takeover tactics, a threat actor can gain access to users’ accounts, and ultimately, their money. If successful, not only does the user become vulnerable to the attacker, but the business hosting the account also risks loss - both privately and in the public eye for not providing adequate protection. The bigger the potential payout, the more tempting it is for fraudsters to try and do nefarious activities on these exchanges. This is why it's important to make the cost of doing “business” expensive for them.
While there are numerous ways bad actors attempt to profit off of consumers, these were the ones most prevalent during the playoff season.
Account Takeover (ATO): Gaining unauthorized access to user accounts without permission. That access can be usernames, passwords and bank information if connected to your bank account.
Account Fraud: Fraudsters creating large volumes of fake accounts in order to exploit an application. Bad actors and bots attempt to make as many fake accounts to get through the registration process in order to take advantage of new sign up rewards, impersonate humans, and gain an advantage during major online moments such as betting, early access to tickets, etc.
What We Saw
The data shown below are all unsuccessful attempts on our customer, a major sports betting site. They were not successful thanks to our partner entrusting their protection to HUMAN’s Account Defender.
Figure 1 above is an overall portrait of when traffic started to increase over the last 180 days of the NFL season. You can see from the graph that at the beginning of the playoffs in January traffic went up, doubling at the start of the big game. A tactic used by bad actors is to try and hide among the masses who come in droves to sports betting apps during major gambling events.
Figure 2 shows us the traffic during the game itself on the site, split between bots and humans. The blue is authentic humans and the red signifies bots. You can see how they not only followed the authentic human traffic trying to hide their motives, but during the game they had minimal dropoff.
Here we have the breakdown of account takeover attempts for the entire playoffs (Figure 3) versus game day (Figure 4). There was an increase in account takeover attempts in February, with a sharp peak the week prior to the big game. While the day of the game itself had the lowest ATO attempts. Malicious login attempts accounted for more than 20% of total login attempts, up from 12% in January. The fraudsters were likely trying to gather a large amount of accounts prior to kickoff so they could sell them on the dark web before the start of the game, or so that they could ensure that compromised accounts were integrated into their larger purchasing bot with enough time left to place wagers on those compromised accounts.
Fake account creation is also a lucrative threat model for fraudsters as they can take advantage of new user rewards (like free bet credits) or to increase the chances of a bad actor winning a bet. We see in Figure 5 an increase in fake account creation attempts in January, with a drop off right before the final increase on gameday. If successful these tactics can coincide with stolen credit and debit card information being used on these sites which would at scale to possible legal cases and financial losses.
What It Means
The data shows that fraudsters are motivated by two things: money and opportunity. They go where the money goes and the only difference between our customer and other top betting apps is that their business is protected by HUMAN.
As authentic human interest peaked, so did the traffic of bots and fraudsters attempting account fraud. Around the time of January (when the playoffs started) until the very end of the big game, fraudsters were trying to take over accounts, create fake accounts, and place illicit bets.
The biggest take away is consistency. At the beginning of the playoffs, authentic humans started to visit the major sports betting app more with fraudsters following. At kickoff of the big game, authentic human visitors to the app peaked for the season and went down during the game. The same applied to bad actors. Their traffic peaked at the start of the game also, except it never went down; it stayed consistent. That’s the thing about our rivals: they never stop. While humans were enjoying the NFL season finale, bad actors were still attempting to infiltrate our customers' accounts. They were trying all season and they are trying right now as you read this.
That’s why HUMAN’s technology never takes days off. The way to disrupt the economics of cybercrime is to meet your competition where they are - on and off the field.
A Winning Formula
We have figured out that the way to stop a fraudster’s offense is with modern defense. The winning formula is the three pillars of modern defense: visibility, network effect, and disruptions and takedowns. This strategy allows us to win against fraudsters just like the ones above. By verifying the humanity of more than 20 trillion interactions a week, protecting 465+ customers, and disrupting threats, we are making sure the cost of fraud is not worth the bet.
HUMAN treats every online threat like it’s our Sunday championship game. Using this modern defense strategy, our products ensure our partners always have the technological advantage in the field of play. For us, it is not just a flip of a coin. No matter what bad players schemes are, with our modern defense strategy, we win.