The current state of the world is forcing many businesses and industries to optimize their functions online. But with an influx of traffic comes an influx of risk. PerimeterX co-founder and CTO Ido Safruti and Director of Cybersecurity Research Liel Strauch recently sat down to discuss trends, takeaways and best practices on how to best equip your business during COVID-19. Listen to the corresponding podcast here.
COVID-19 has taken a huge toll on the world in a number of ways. A couple of months into the pandemic, we've seen some serious changes in behavior across various industry sectors. Ido, you recently published a blog series where you discussed how various industries are being affected by these changes, including food, home goods, e-learning, travel, fashion, freelance, media and even marijuana segments. Can you explain to us what's different now compared to before the coronavirus pandemic in terms of the volume of traffic?
Ido: Sure. Obviously, different sectors are impacted in different ways. One thing that is common across the COVID-19 period is that digital transformation has been extremely accelerated for many different sectors. And in some cases, businesses are making transitions that usually take a year or two in a month or a few weeks. And this is the result of another massive trend—consumers are doing much more from home and more online. People are experimenting and adopting more technologies because they have no other option. We're talking about e-learning, about retail, and finding out that you can buy anything online from grocery stores or from any other place.
We’re seeing a huge spike in traffic across multiple sectors that are offering digital goods or digital services, as an alternative to other ways of consuming them—from e-learning, to food delivery and even to marijuana delivery. Some of our customers have seen increases of up to 10X in registered users and active users. In certain cases, we're seeing daily levels similar to or higher than those we see during Black Friday and the holiday season, which is obviously a big change. Some sectors were actually negatively impacted and have seen fewer active users, such as the travel industry.
So what attack trends are developing because of this? Are cybercriminals’ tactics changing? What patterns are we seeing?
Ido: That's an interesting one, because just like the businesses themselves went through an accelerated process of digital transformation, attackers have evolved rapidly as well. They’re seizing the opportunity there. As more businesses move online, there are more opportunities for them to abuse them, to find financial benefits. So obviously it's not only consumers that are doing things from home, but suddenly security teams and development teams need to roll out new services rapidly—and from an environment they're not used to. And that has created an opportunity for attackers for breaching, because maybe there are fewer eyes on deck to monitor and review traffic. Just as well, new services are appearing and are more likely to be vulnerable.
We’re seeing an increase in account takeover (ATO) attacks, in which attackers try to take credentials and control accounts to gain access to free content, personal information, credit card information, loyalty points, rewards or other benefits. So we're seeing an increase in that activity. And the numbers haven’t just risen proportionally—in many cases, the percentage of attacks from overall traffic has gone up. Malicious traffic has risen faster than legitimate users.
That doesn't sound very good. So, Liel, are these tactics typical, or are bad actors doing anything new or novel that we haven't seen before? How does the situation look in comparison to the threat landscape prior to the stay-at-home orders?
Liel: That's a really good question. It's not that we necessarily see new tactics, but we do see a very big evolution of the sophistication of the attacks. We see a big distribution of the source of where the attacks are coming from, either by the identifiers of the request, the fingerprints, things like numbers of IP addresses used in any attack, user agent used and other identifiers. We see a tremendous increase. Another thing we've noticed is a big increase specifically during the time of the pandemic in the usage of proxies and residential IPs to attack, which is a very known tactic of attackers to try to mimic normal users traffic, to hide their source. We’ve seen a big increase in that. And of course the threat of CAPTCHA solvers, which have been a big threat for a pretty long time now, are also increasing in sizes of the attacks themselves.
Being a couple of months into this crisis, do you see threats decreasing or do you foresee threats staying at their new levels?
Liel: I don't think we're going to see the threats decrease. We haven't seen any evidence for that on our end—in fact, more so the opposite. We’ve seen an increase of the sizes of different attack campaigns—mostly account takeover, as Ido stated—but also checkout bot attacks where attackers abused the purchase flow. From these threats, we are seeing a continuous increase double than what we used to see. And as you could guess, it is probably because more people are making their purchases online. The money that you can achieve by executing those attacks is getting bigger and bigger. So no, I don't think the threat is going to decrease.
Ido: One important thing to talk about related to this kind of increase is you can't unlearn these techniques. Attackers have evolved and changed and found new techniques. They’ve developed more advanced tools. Once the pandemic goes away, while business may go back to normal, the attackers have already achieved a new level of threats, and they won't forget it. They'll just adopt it. They have endured a transformation just as businesses have accelerated their new services, and now have better tools. And since consumers have learned to do more tasks online now, they won't forget it either. They'll continue to operate more like that.
That's a good point. So PerimeterX has recently written about a rise in e-gift card bot attacks. What can you say about these attacks, Ido?
Ido: Just as with other attacks, bad actors are after the money. They're attacking and doing these massive fraud campaigns because they can get some financial benefit out of it. Some common kinds of attacks are carding attacks, the ability to attack e-gifting, and other things like this. ATO attacks and checkout abuse are also increasing due to attackers trying to find out all of the places where you can attack e-gifts. These attacks are harder to identify, and it is easier to use the gift cards as currency in the dark web.
Makes sense. So Liel, seeing as PerimeterX works with a number of prominent digital media, what are some nuances that the PerimeterX team is seeing on the front line?
Liel: It's a very interesting trend. We’ve seen since the start of the pandemic in February a very big and steady increase in both traffic and attacks for those businesses. We’ve especially seen big increases around news websites in mid-March and forward. It just keeps going up every day.
E-commerce is certainly booming right now. What advice would you give retail website and app operators during this crisis?
Ido: For e-commerce and retailers during this period, just as they should all the time, they should consider the opportunity for them to improve the business and to figure out how to implement things that will help in the long term. And in the case of the current event, you must consider it on the same scale as the holiday season or another large event that you plan for as a retailer. Obviously we didn’t predict the current situation, but two months in, it is the new standard. It’s important to plan for these kinds of events—and if you weren’t prepared before, take advantage now to implement the learnings and benefits of how you can support and operate your business remotely in an efficient way. Make sure you can identify any anomalies or spikes in traffic and build the system in a scalable way. Consider your systems and aspects of security. You need a system that can monitor and alert you on anomalies in your traffic, even when the scenario is changing. But in terms of simple volume metrics, you don’t want to be alerted for every spike in registrations and logins. You don’t want to block legitimate users.
It’s more about figuring out and learning the lessons from what worked well and what didn't work, so that you can implement the right processes and procedures. Make sure that when a similar situation like this comes in the future, you can be prepared and have everything ready so that you can focus on the opportunity as a business and operate well, versus playing catch-up.
We've talked about e-learning. Virtually all students are studying remotely right now. What insights have you taken away from the current situation in this segment?
Ido: It's hard for me to personally predict how e-learning as a business will continue in the future. What I do know is that e-learning saw an increase in attack traffic and became a very attractive target for attackers to go after. E-learning services are currently facing massive and complex account takeover and scraping attacks. This will not change in the short term. If the level of legitimate e-learning users remains high after the situation returns to normal, the attackers will inevitably continue to go after the segment. One thing that has changed is e-learning becoming a bigger target as a business for attackers to go after.
Liel: And if I can add to that, I am actually an e-learning student currently. I do think that one of the things to emphasize from Ido's answer is that now, attackers understand that e-learning is another segment they can abuse and use in order to gain money. Even if there is a decrease in users, some attackers will keep on attacking this segment because they've understood its potential and know they can benefit from that in the future.
So what do you recommend businesses do in general, in terms of maintaining readiness for handling these types of challenges and changes?
Ido: I think experimenting and planning is important. Have a plan for remote work in trying times. Obviously, this two-month period was a big experiment in that. But make sure to maintain communication, operations and the abilities of all employees. It's not just the security team—it’s also the developers, as well as the full set of measures you need in place to ensure safe and optimized operations. It’s important to maintain visibility into your systems when you aren’t accessing them from your office address. Being able to access your business safely from anywhere in the world presents opportunities. But you also need to ensure that the security controls are there.
For more data and insights about COVID-19 on digital businesses, read the four-part blog series from Ido in the PerimeterX blog.