Season’s Greetings: How Fraudsters Kickoff Their Holiday Preparation During the Summer and Why You Should Too

'Twas the months before the holiday season, when all through web accounts
fraudsters were plotting. Their holiday schemes had already begun to mount. 
Our clients could collectively protect their customers without a care,
because they knew that HUMAN and modern defense would always be there.

Summer is in full swing, kids are out of school, and family vacations are happening. But as the temperature rises, so do the threat operations. The holiday season seems to arrive faster every year, and as an adult, you find yourself thinking about the holidays in August.

However, it's not just early commercials and store decorations banking on the holiday season's profitability. Fraudsters are also plotting ways to take advantage of consumers' generosity as they shop for Halloween treats, Thanksgiving gifts, and Christmas presents. They employ tactics like account takeover, carding, and scraping to fill their stockings at everyone else's expense.

Though it may feel early to start decking the halls, now is the opportune time to start getting ready for the upcoming online holiday season. The first step is uncovering bot attack patterns, understanding the impact on the ecosystem, and demonstrating how a unified modern defense strategy can be the star atop the tree.

Ghouls, Goblins, and Grinch Bots

Bad actors are starting earlier because the timeline for their threats to be effective has expanded. As Inna Vasilyeva, a Senior Threat Intel Analyst puts it, the holidays are seen as a chance for bad actors to elevate attacks. “This time of the year equals an opportunity for cybercriminals. Malware attacks are going on year-round, but they increase significantly over the holiday season.” 

During the entire duration of holiday festivities, automated traffic surges to its peak. Last year's bot attacks reached a pinnacle in October and sustained high levels throughout the season of giving. On the top attack day, October 25, bad bot traffic to e-commerce sites soared by a staggering 199% compared to the yearly average. E-commerce traffic tells a tale of contrasting patterns, as human activity did not begin to rise consistently until late October, with the highest surge occurring during Cyber Week.

So, what’s the deal? The honest answer is fraudsters see your data as the best sales on Black Friday and Cyber Monday, but there’s no return policy or gift receipts. Santa has elves to help him build toys, and fraudsters have bad bots to harvest data. In 2022, bot traffic accounted for 46.2% of total traffic online, with bad bots making up 29%. This overwhelming threat needs to be addressed. Good or bad, if almost 50% of traffic coming through is not an authentic human, it contaminates your data and makes the possibility of converting humans with advertising dollars feel like a coin flip. With digital ad spend rising 13.7% during the fourth quarter of the holiday season last year, do you want the metrics and results of your marketing efforts to be dictated by threat actors and essentially left up to chance?

Holiday Bot Menu: Scraping, Carding, and Account Takeover

When most people think of the upcoming holiday season feast, they imagine what food will be on their plate. We have a different holiday appetite: a hunger for stopping threat actors. And during the holidays, there’s a buffet of digital fraud. 

With our unmatched visibility into 20 trillion interactions per week, and universal network scale, we forecast a major uptick in ATO, carding, and scraping operations in the closing months of this year. Let's take an in-depth look at the methodology behind these 3 kinds of attacks:

  • Account Takeover - Attackers use stolen credentials in credential stuffing attacks, taking advantage of users who reuse passwords. Phishing and social engineering techniques have become more sophisticated, tricking users into revealing their login details. Some attackers bypass 2FA security, making it harder for users to rely solely on two-factor authentication. SIM swapping involves convincing carriers to transfer a victim's phone number to a SIM card they control, enabling access to accounts and 2FA codes.

(ATO) attacks surged by 123% in the second half of 2022 compared to the first half, driven by spikes during the summer and holiday shopping season. On average, 48% of login attempts were malicious. Specifically for e-commerce companies, ATO accounted for 48.2% of login attempts throughout the year, with peaks in August and October. Cybercriminals started launching attacks earlier to spread them out, leading to multiple smaller attacks in the latter half of the year. Malicious login attempts increased steadily from September, peaking in mid-October, likely for selling stolen accounts on the dark web before Cyber Week. The attacks remained prevalent as Black Friday approached, with a decrease observed on Cyber Monday, possibly due to legitimate traffic.

  • Carding - Cybercriminals leverage increased automation, utilizing bots and tools to rapidly test stolen credit card information across various websites, efficiently identifying valid details. The dark web serves as a thriving marketplace for trading stolen credit card data, granting easy access to a vast amount of card information. Card-not-present (CNP) fraud is on the rise with the surge in online shopping, enabling cybercriminals to exploit stolen card details without physical cards. Additionally, attackers have developed methods to bypass the Card Verification Value (CVV) security feature, enhancing the potency of carding attacks.

In the second half of 2022, carding attacks increased by 161%, with a notable spike during the holiday season. For e-commerce, malicious checkout attempts peaked in the summer and again during Cyber Week. Attackers tested stolen card details through "dummy purchases" in early November. After Cyber Monday, there was a 900% surge in carding attacks out of total checkout attempts as attackers persisted while legitimate traffic slowed.

  • Scraping - Cybercriminals deploy advanced bots and techniques to efficiently scrape data from websites, mimicking human behavior and employing IP rotation to avoid detection. They may also target login pages using scraping techniques to steal login credentials for account takeover attacks. Additionally, they utilize scraping tools that can execute JavaScript, while attempting to manipulate network data on modern JavaScript-based websites.

Scraping attacks surged by 112% in the second half of 2022, driven by increased activity during major sales events. In e-commerce, malicious requests peaked at almost 40% in August and saw another smaller jump during the holiday season, aligning with ATO and carding patterns.

When Vasilyeva spoke on what makes bot attacks more dangerous each coming year, she emphasized access and buyer knowledge. “Cybercriminal tactics like carding, scraping, and account takeover have evolved significantly. Numerous malicious actors now adeptly bypass security measures on e-commerce sites and target victims across multiple platforms. It's concerning that even inexperienced users can engage in hiring bots to purchase illicit products or participate in scraping and reselling sought-after items.”

We All Must Unite in the Holiday Protection Spirit

Fraudsters follow the money, and unlike snowflakes, they are not unique in their approach. They will use the same tactics in multiple ecosystems, attempting to scale up for an even greater profit. These sophisticated threats are not just for e-commerce, but the entire digital landscape. Think of their operations as ornaments, they want to decorate every industry like a tree and then cover them with bad bots as if they were lights.

Inna Vasilyeva, gave insight on the difference between bot attacks against e-commerce, ad tech, and other industries — and why they’re more similar than you might think. “Every digital business has bots aiming to commit fraud and maliciously monetize their web activities. The methods and TTPs of cybercriminals can vary, but at the end of the day, they’re all prone to malware, bots, and other attacks. Nobody is immune to holiday season cyber challenges, and the procedures to protect yourself will be similar in terms of attack vectors. That’s why it's important to have a trusted partner who has your best interest at heart.”

She added, “Bad bot activities often involve purchasing data from dark markets, including personally identifiable information (PII), account details, and card information. They can also scrape popular product inventories ahead of the holiday season to plan for their eventual bulk-purchase campaign. E-commerce customers can also face phishing attempts and unknowingly provide sensitive information due to the ease of making purchases on platforms like Instagram and via apps. Even the best security tools can't fully protect users who don't practice good cyber hygiene, but companies can also create strategies and defenses to limit problems once an account has been phished. For instance, it’s common for the shipping addresses to be changed during mass-account takeovers after a successful phishing campaign, and companies need to not only monitor for the bulk actions, but expect them.”

The Three Spirits of Modern Defense

Don’t hold your breath in the hopes of fixing these Scrooges' mentality; once these Grinches get a hold of data and privileged account information, they are only worried about their profits, not their heart growing three sizes. HUMAN disrupts the economics of their nefarious deeds; that is why our version of the three ghosts of holidays past is the three pillars of modern defense:

  • Visibility - We don’t go as far as Santa, knowing when you are sleeping and knowing when you are awake, but to safeguard the internet with detection at an unmatched scale, we verify more than 20 trillion digital interactions a week and observe more than 3 billion devices a month for actionable intelligence.
  • Network Effect - There’s 12 days of Christmas, 8 days of Hanukkah, and 7 days of Kwanzaa. We have 2,500 dynamic network, device, and behavioral signals that are parsed through 350 algorithms, collectively protecting more than 450 customers year-round.
  • Takedowns and Disruptions - This is how we provide the threat actors on our naughty list with coal and real-world consequences, by raising the cost of every digital attack. Over 10 years of experience combating adversary attack vectors, tools, and methodologies. Actionable threat intelligence with The Satori Threat Intelligence and Research - a group of threat hunters, reverse engineers, and data scientists who uncover fraud operations across the internet.

Protection is our job, and we take it to heart; it’s a HUMAN quality. Bad actors are drinking from every leaking faucet they can find, whether it's enterprise, media, or straight from consumers' pockets. They do not care about marketing budgets, customer service, or making sure that must-have gift is under the tree. So, we have to stop their thirsty greed at the source by flipping the cost-benefit analysis. 

We have to combat the manipulators together. That is the “collective” part of collective protection. We all have a pivotal role to play during the holidays. Here are a few comprehensive security measures that can help safeguard organizations and buyers from cyber threats during the holiday season and beyond.

  • Educate employees on social engineering and spear-phishing risks; caution against clicking suspicious links or using work laptops for personal activities.
  • Thoroughly inspect holiday e-cards, discount ads, and email links.
  • Limit internal network access, encrypt data and backups, regularly update OS/software patches and review third-party vendor security posture regularly.
  • Enforce internal cybersecurity policies like strong passwords and multi-factor authentication (MFA).
  • Secure and update devices, uninstall unknown apps, conduct malware scans, and use VPN on secure Wi-Fi.

Staying vigilant against attempts to attack systems both professionally and being aware of vulnerabilities 

These are just a few protective strategies that can help safeguard organizations and buyers from cyber threats during the holiday season and beyond.

Creating an Internet Wonderland

Bots are used in 77% of all digital attacks to help cybercriminals automate and scale their schemes. According to Cybersecurity Ventures, the cost of cybercrime is expected to hit $6 trillion globally in 2022, up from $3 trillion in 2015. How much of your budget, potential profit, and most importantly, customer data cost is going towards that number? Is your business properly protected? A conversation with HUMAN can provide the answer to that question.

Why start looking ahead now to the holiday season? Simply because it’s the right thing to do. As threat actors and their mischievous operations get trickier, as a community we must adapt and become more intelligent. As they get more ruthless with how they deceive, together we must show more compassion in educating everyone with tactical readiness. A lot of the holiday spirit is based on simply believing in things bigger than oneself. Our Bot Friday holiday campaign is something we want to be beneficial industry wide, a sign of goodwill to all humans on the internet. Together is the best way forward across the entire digital landscape and by December, we can all simply have a wonderful holiday season.

For a comprehensive in-depth look at the trends fraudsters are conducting this upcoming holiday season check out the full Bot Friday Benchmark Report