Report: 53% of social media logins are fraud

More than half of social media logins are fraudulent, according to a new report.

Specifically, 53% of social media logins are fraudulent, and 25% of all new account applications on social media are also coming from scammers, according to the Arkose Labs Q3 Fraud and Abuse report.

Of course, there are plenty of good reasons to care about the fakery that saturates social media, given that the fraudulent activity is focused on stealing data and squeezing us all for money. Large-scale bots are behind most of these transactions, launching attacks on social media platforms with the goal of “disseminating spam, stealing information, spreading social propaganda and executing social engineering campaigns targeting trusting consumers,” according to a media release from Arkose.

Arkose looked at fraud across the internet, but with specific regards to social media fraud, the activity took on a host of different forms: account hijackings, fraudulent account creation, and spam and abuse were among them. It found that more than 75% of attacks on social media are coming from automated bots.

Social media was distinct among the industries Arkose analyzed: account hijackings were more common, with logins twice as likely to be attacked than account registrations, the report found. Arkose says that the account takeovers are being done by attackers looking to harvest valuable personal data from the accounts of legitimate users.

We’ve often written about how these account takeovers manifest and what they’re after: In November 2018, for example, Facebook said that the US Department of Justice (DOJ) had recently discovered an alleged IS supporter warning others that it’s gotten tougher to push propaganda on the platform, and thus was suggesting that fellow propagandists try to take over legitimate social media accounts that had been hijacked: to act like wolves pulling on sheepskins in order to escape from Facebook’s notice, as it were.

Profit is another big motivator: We’ve seen valuable Instagram accounts held for ransom and virtual loot worth real money that was motivating attackers to hijack 77,000 Steam accounts a month, for example.

Arkose CEO Kevin Gosschalk, from the press release:

The extremely high attack rate on social-media logins is indicative of the value placed on the data fraudsters extract from compromised social accounts. Because more than 50% of social media logins are fraud, we know that fraudsters are using large-scale bots to launch attacks on social-media platforms with the goal of disseminating spam, stealing information, spreading social propaganda and executing social-engineering campaigns targeting trusting consumers.

Using bots to launch the attacks makes economic sense, Arkose says. It saves crooks the money they’d otherwise have to spend on wages.

Arkose didn’t just look at social media logins. It looked at over 1.2 billion real-time transactions, including account registrations, logins and payments from financial services, e-commerce, travel, social media, gaming and entertainment industries, in real-time, to paint a portrait of the evolving threat landscape.

Besides the bogus social media account logins, the analysis also found that overall, one in 10 transactions of any type is an attack, coming from a range of sources from automated bots to malicious humans.

Automated attacks made up the bulk of the traffic Arkose analyzed, ranging from large-scale account validation attacks, to bots blocking seats on an airline, to scripted attacks that scrape user data and inventory.

But sometimes attacks need humans to carry them out, and that’s where cheap labor comes in handy. Attacks relying on human labor are mostly – 59.3% – coming from China, the analysis found. That’s four times higher than human-driven attacks coming from the US, Russia, the Philippines, and Indonesia.

Here’s Vanita Pandey, vice president of strategy at Arkose Labs:

Sometimes fraudsters have to rely on humans to carry out attacks; these attacks cost more, but the value they can extract from the attack makes the investment worthwhile. Developing economies are quickly becoming fraud hubs because they have easy access to sophisticated tools, cheap manual labor and good economic incentives associated with online fraud.

Pandey said that the fraudsters are now gearing up for the peak scam time of the year: the holidays.

As we head into the holiday season, this is critical for the retail industry, which sees high volumes of seasonal and human driven fraud. Right now, fraudsters are actively preparing to launch large-scale attacks on retail vendors during the holidays by validating and testing stolen gift cards and identities compromised in recent breaches. The long-term solution to this problem is not rooted in applying new defenses – because fraud will continue to evolve – but rather to break the economics of the attack and eliminate a fraudster’s financial incentive.

For some examples of holiday scams that SophosLabs has caught in its spamtraps, plus some advice on how to avoid getting hooked, check out our advice on how to stay off the hook – useful at any time of the year.

Other data points from the report:

• Most attacks are coming from the Philippines. The top originating countries for attacks are the US, Russia, the Philippines, UK and Indonesia. The Philippines is the single biggest attack originator for both automated and human-driven attacks with the US coming in at a distant second.
• Most Chinese attacks (59.3%) are coming from humans. That’s more than four times higher than those coming from the US, Russia, the Philippines, and Indonesia.
• Human attackers are going after tech companies. The technology industry is heavily targeted by “human click-farms and sweatshops,” the report found – as in, places that employ low-paid workers hired to make fraudulent transactions or create fake accounts. According to the report, 43% of all attacks on tech companies are human-driven and account registrations for tech companies are four times more likely to be attacks than logins. This isn’t surprising: in November 2018, for example, more than 100 Indian police swarmed 16 tech support scam call centers, arresting 39 people for allegedly impersonating legitimate support reps for companies including Microsoft, Apple, Google, Dell and HP.
• The travel industry is heavily targeted. Payment transactions in the travel industry are 10 times more likely to be attacked, Arkose found, especially from automated bots looking to block inventory, leading to denial of inventory attacks or a significant increase in ticket price. Almost 10% of all login attempts on travel sites are fraud, and 46% of all payment transactions for travel are fraud. Attackers try to make fraudulent purchases, conduct denial of inventory attacks or steal hard-earned customer loyalty points, which are as good as cash.

To protect yourself on social media from account hijackings and scam, start with our video, Five ways to stay secure on social media.

(Watch directly on YouTube if the video won’t play here.)