Embed Size (px)
DESCRIPTION
Every year, companies lose $100 billion to online fraud. In this deck, we detail an actual online attack by fraudsters on a prominent gaming website and how Kount identified and prevented fraudulent transactions.
Citation preview
Anatomy of an Attack
KOUNT CONFIDENTIAL & PROPRIETARY
1. On December 27, 2012, a global top ten gamer website experienced a dramatic increase in the number of declined orders.
2. The decline rate went from the average of under 5% to over 35%
3. Kount detected and stopped a BOT attack that was attempting to infiltrate and fraudulently purchase goods on the website
4. The attack lasted approximately three days
5. During the attack and once the attack was over, the company’s website responded normally, as if nothing happened.
The Attack
KOUNT CONFIDENTIAL & PROPRIETARY
The AttackThis line represents the upper limit of declines. This is calculated daily based on a 14-day trailing average of daily variations to 99%. Generally, this line is 3 standard deviations from the “decline mean” rate.
KOUNT CONFIDENTIAL & PROPRIETARY
The AttackThis line represents the lower limit of declines. This is calculated daily based on a 14-day trailing average of daily variations to 99%. Generally, this line is 3 standard deviations from the “decline mean” rate.
KOUNT CONFIDENTIAL & PROPRIETARY
The Attack
This line represents the decline rate mean. This is calculated daily based on a 14-day trailing average of daily variations to 99%. The decline rate averages between 3% - 6% based on rules applied by Blizzard.
KOUNT CONFIDENTIAL & PROPRIETARY
The Attack
This line represents the actual decline rate.
KOUNT CONFIDENTIAL & PROPRIETARY
The Attack
Note: since these lines are created from a 14-day trailing average, we see them increase as a result. These will return to normal ranges in time.
KOUNT CONFIDENTIAL & PROPRIETARY
The AttackThis line represents actual # of approvals daily.
This line represents actual # of declines daily.
This line represents actual # of reviews daily.
Spike in sales on Christmas day, expected activity.No increase in declines, also expected activity.
Spike in declines over the next three days without corresponding increase in sales, unexpected, unusual activity.
KOUNT CONFIDENTIAL & PROPRIETARY
The Attack
RANK EMAIL # TRANSACTIONS1 [email protected] 47622 [email protected] 13493 [email protected] 1243
7,354
The attack was centered around three main email addresses which may indicate that a “bot” was running from hijacked or dedicated machines…
Declined orders
KOUNT CONFIDENTIAL & PROPRIETARY
The Attack
RANK IP ADDRESS TRANSACTIONS1 79.126.163.185 57392 79.126.172.135 1628
7,367
…and only two IP addresses
KOUNT CONFIDENTIAL & PROPRIETARY
The AttackEach dot represents the number of attempts made per minute, sometimes averaging nearly two and a half attempts per second.
This line represents the running average of attempts per minute.
KOUNT CONFIDENTIAL & PROPRIETARY
The Attack
From the email address [email protected]:
# TRANSATION DATE/TIME TRANSACTION COUNT1 12/27/2012 1:31:00 PM
1082 12/27/2012 1:32:00 PM
713 12/27/2012 1:33:00 PM
1004 12/27/2012 1:34:00 PM
415 12/27/2012 1:35:00 PM
856 12/27/2012 1:36:00 PM
114
KOUNT CONFIDENTIAL & PROPRIETARY
The AttackWhere did these “orders” originate?
Macedonia
KOUNT CONFIDENTIAL & PROPRIETARY
The Result
Kount responded to this attack exactly how it was designed.
• Detected the fraud, in real-time• Stopped the fraud, in real-time• Reported the fraud• Protected the customer• Kept exposure to fraud and fraud losses to ZERO $$$• All done automatically, without interrupting normal business activity• This type of fraud could not have been detected using old, look-up technology
KOUNT CONFIDENTIAL & PROPRIETARY
• World’s largest online distributor of independent music- Helps artist sell to iTunes, Amazon and Facebook
• Paying out 75% commissions• Over $200 million in commissions paid• Fraudulent artists & affiliates• Charge backs/Fraud 2.5%+, $26,000 lost in one month• Reputation at stake with some partner brands
Case Study – CDBabySituation
KOUNT CONFIDENTIAL & PROPRIETARY
Case Study - CDBaby
Fraudster posing as an artist post music for sale on CDBaby.com
1
KOUNT CONFIDENTIAL & PROPRIETARY
Case Study - CDBaby
Fraudster posing as an artist post music for sale on CDBaby.com
1
Fraudster joins CDBaby affiliate program, receives 75% commission
2
KOUNT CONFIDENTIAL & PROPRIETARY
Case Study - CDBaby
Fraudster posing as an artist post music for sale on CDBaby.com
1
Fraudster joins CDBaby affiliate program, receives 75% commission
2
Using stolen credit information, Fraudster purchases music from affiliate (Fraudster)
3
KOUNT CONFIDENTIAL & PROPRIETARY
Case Study - CDBaby
Fraudster posing as an artist post music for sale on CDBaby.com
1
Fraudster joins CDBaby affiliate program, receives 75% commission
2
Using stolen credit information, Fraudster purchases music from affiliate (Fraudster)
3Pays royalty to artist
4
Pays commission to affiliate (75%)
Pays fines, chargebacks
KOUNT CONFIDENTIAL & PROPRIETARY
Case Study - CDBaby
• Reduced fraud by 96%• Results in less than 30 days
• Fraud losses average $850/mo.• NO loss in revenue• Enhanced marketing opportunities• Great relationship with iTunes
![Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE · 2019-01-08 · ©2018 Dragos, Inc. All rights reserved. [Protected] Non-confidential content. October 12, 2018 Anatomy](https://img.pdfslide.net/doc/110x75/5e6ce130747873394109dbf4/anatomy-of-an-attack-detecting-and-defeating-crashoverride-2019-01-08-2018.jpg)
