By Julian Arango | February 19, 2020
In a previous blog post,
we discussed some of the findings of Anderson et al. (2019)
regarding the changes in cybercrime costs,
more prominently in the United States and the United Kingdom.
We specifically wrote about online card and banking fraud,
as well as ransomware and cryptocurrencies.
We introduced these topics by referring to
what had changed in the last seven years
when a first paper from the same authors was presented at the Workshop
on the Economics of Information Security
(WEIS) in 2012.
We will conclude with other topics detailed in the study.
Check the first part of this blog post here.
We will discuss marketing-related cyber crimes like ad fraud,
and Business Email Compromise
We found ad fraud figures astonishing.
Fortunately, awareness is growing as businesses are starting to realize
they have probably lost plenty of money without knowing it.
The second topic caught our eyes as it appears to be on the rise.
Although not related, we remembered Amazon’s CEO, Jeff Bezos,
as the hack he suffered was specific and directed to him. Let’s begin.
We consider ad fraud to be underrated. This fraud happens when advertisers' digital-ads budgets are stolen: sold ads that were never seen by humans. These frauds could be categorized within impression-fraud (paid fake impressions), click fraud (paid fake clicks), and traffic laundering (fake traffic).
Partially, the problem emerges because there’s no authentication to verify that users are actually viewing the ads the advertiser is paying for. A way criminals use to profit from this is by creating browser “viewing” ads automatically (especially video ads). How? By compromising computers through malware installed to perform this.
It is estimated that for every ad fraud revenue dollar,
the advertiser spends between $2 and $5 to serve those ads.
One well-documented example in the cited paper
tells the story of two ad campaigns with losses of $36m.
There were 1.900 servers and 850.000
under control of criminals to scale such frauds.
Still, these were not part of a botnet
(the criminals paid for those resources).
The scholars argue that conflicts of interest exist between advertisers and ad networks. Those conflicts impose barriers to better measuring the impact of these cybercrimes. The researchers also estimate global losses to be a couple of billions worldwide every year.
An outstanding example depicts the size and impact of these frauds.
Uber made a significant reduction in its digital marketing budget:
120 million out of 150 million dollars were cut with no performance impact,
after discovering ad fraud.
You can listen to this story here, told by Kevin Frish,
former head of performance marketing and
CRM for Uber,
interviewed by Alan Hart.
Read along with us: ONE HUNDRED AND TWENTY MILLION DOLLARS.
We also consider that this type of fraud is underrated. Think about a simple scenario: a company has a discount scheme through coupons, as part of their marketing strategy to attract underserved market segments. A criminal could gain access to the company’s systems and create non-authorized coupons that can be sold in the black market (e.g., the dark web) for a fraction of its value. Anderson and colleagues suggest a hypothetical and straightforward scenario: a criminal could sell 2.000 coupons with a monetary value of $50. If all these coupons were used, losses for the victim company would add up to $100.000. Only in the US, losses from these frauds are estimated between $300m and $600m per year.
Similarly, loyalty programs have also suffered financial losses from attackers. According to the cited paper, this fraud is growing. From 2016 to 2017, for instance, a publication reported a rise in attacks on these rewards/points accounts of 9 percentage points. Another paper estimated losses in these programs adding up to $235m. Furthermore, other costs have been identified. A survey found that 17% of victims of loyalty program fraud would stop doing business with the company, and 37% would tell others about the vulnerability of the program. How much profit can be lost due to these soon-to-left consumers?
Also known as “man-in-the-email attack” or “CEO scam,” this kind of fraud seems like a phishing attack but has several unique elements. First, performing the attack focuses on someone with the power to make wire transfers, like a financial manager. Second, the attack supplants a CEO or someone with authority and, third, using this impersonation, a request to make a wire transfer to a supposed valid account —controlled by the criminal— is made.
BEC has been growing over the years, as can be seen in Figure 2.
Note that complaints have grown almost linearly,
while estimates of financial losses have grown exponentially.
The effectiveness of this fraud is rooted in human psychology. Similar to typical phishing, “[attackers] prey on the victim’s instinct to respond quickly to a request from a person of authority within the company” (Anderson et al., 2019, p. 15). This is also known as the messenger effect, widely cited in the behavioral science literature.
The scholars go further, pointing to other frauds and their costs to businesses and society. Moreover, they extend their analyses on cybercrime costs by discussing what infrastructure criminals use to create such damages, mainly botnets. In the paper, the scholars also review other relevant research that they call victimization studies. These are nation-representative surveys where people self-report whether they have been victims of cybercrime. This perspective is valuable as it allows researchers and policymakers to contrast different sources of insight to better come up with strategies against cybercrime. We invite you to take a look at the paper if this topic interests you. Click here to download it.
From the figures these scholars put together, it’s clear that the costs of cybercrime on society are relevant. Cybersecurity is not an isolated topic for just a bunch of organizations. Quite the opposite: cybersecurity is essential to society, as we now rely heavily on information technology which offers many benefits in these modern times.
Fluid Attacks, we’re committed to improving the safety of organizations
by putting some pressure on their mission-critical systems.
We do this by hacking those systems with a mix of automated tools
and the expertise of a group of highly skilled security engineers.
Check our hacking services and our products
(there is one product you can access and use
FREE of charge).
Our distinctiveness lies in the approaches we offer to organizations,
comprised of continuous hacking and one-shot hacking.
We detect weaknesses faster, featuring a rich characterization,
and we also make it easier for clients
to fix those defects through our ASM and Asserts.
Did you enjoy reading this post? We love to hear from our readers and customers. Do get in touch with us!
Anderson, R., Barton, C., Böhme, R., Clayton, R., Gañán, C., Grasso, R., Levi M., Moore, T. & Vasek, M. (2019). Measuring the changing cost of cybercrime. Proceedings of the 17th Workshop of the Economics of Information Security (WEIS). Boston, MA.
Corporate member of The OWASP Foundation