By Dan Woods, Vice President of the Shape Security Intelligence Center at F5

As COVID-19 drives a higher volume of transactions online, the dance between cyber criminals and security professionals has stepped up a beat. Enterprises are re-assessing the robustness of their systems, while bad actors are looking for vulnerabilities to exploit.

At Shape Security, we process billions of transactions every week on behalf of some of the world’s biggest banks, retailers, government agencies and airlines. 

Since early March, when the shelter-in-place and lockdown guidelines started coming into force, we noticed major spikes and collapses in online activity across a range of verticals. Traffic to online grocery delivery providers in our network was up 400%, and investment account logins rose by 53%. Correspondingly, online travel bookings were down 75%, new payroll account registrations have been cut in half. Furthermore, international money transfers fell by 35%.

These are unsurprising trends, as some sectors experience unprecedented demand while others remain in lockdown. Less clear is whether the volume of attacks and malicious activity has increased in the wake of COVID-19, and indeed if there is any direct link between the two. The data isn’t yet definitive and, in our experience, there are too many variables in each case to be sure (i.e. the application in question, the countermeasures in place, the monetisation scheme being pursued).

Nevertheless, it is important for any organisation that relies on applications to both understand how attackers are operating in the current circumstances, and to reconsider if security measures are sufficient. Whether or not attack volumes are on the rise, we are seeing a definite evolution in the behaviour of cyber criminals, as well as some clear trends to be aware of.

As one example, attackers have been targeting portals that allow people to access Government finance and assistance schemes under the US Coronavirus Aid, Relief, and Economic Security (CARES) Act. Every applicant needs to enter a Taxpayer Identification Number (TIN) to proceed. As a result, attackers have been tapping into the workflow to run automated programs that allow them to endlessly fish for, and then validate, real TINs, for sale or malicious use elsewhere.

Another prevalent act of fraud we are seeing is targeted at the quick service restaurant (QSR) industry. Here, fraudsters pose as discount providers on social media to place real orders with QSRs using stolen credit cards. The transaction proceeds as normal through their system and that of the delivery provider. Only when the chargeback occurs weeks later does the fraud become apparent, by which time it is too late to trace or recoup. The cost of this scam has run into hundreds of thousands of dollars per month for some companies in the industry.

What these examples demonstrate is the relentless adaptability of cyber attackers. When there are major shifts in consumer behaviour, such as the recent spike in online food orders, they quickly change their playbook(s) to take advantage.

So, how can companies be equally agile in their response? The first step is to acknowledge the extent of the problem. One Fortune 100 customer came to us with the assumption that about 20-30% of their traffic was malicious. Our analysis showed that the real figure was 98%. This is a common problem; a security operations center (SOC) will often focus on the noisiest IPs and miss the long tail of those contributing small volumes of malicious traffic.

The second point is to leverage technology that can collect signals from your network, users, and environment to identify automated and potentially malicious traffic. For instance, if you are looking at how users navigate an online workflow, signals will easily distinguish the keystrokes and mouse movements of a human user from the overly precise behaviour of a bot. They can also tell the difference between a legitimate user and a manual fraudster. The latter, having become familiar with the workflow, will typically navigate it more quickly.

Organisations need to remember that attackers are a moving target. They will usually retool after countermeasures are taken, and shift between web, mobile and API interfaces to seek out new vulnerabilities. As such, security teams need to watch closely how attackers respond to countermeasures to determine their next move. Some don’t even recognise that they are being blocked. Others quickly adapt.

The flexibility of attackers also highlights the dangers of relying too much artificial intelligence (AI) and machine learning (ML). While these are essential elements of any security toolkit, it is also important to recognise their limitations. The raw signals detected by AI and ML systems will be full of both false positives and false negatives. You need trained people poring over that data as a crucial second line of defense, watching for anomalies and observing how attackers retool.

Finally, don’t forget the user experience. A customer-facing business shouldn’t depend too much on tools like CAPTCHA that can inconvenience your real customers more than prospective attackers.

This is a time of constant adaptation for everyone. and security is a clearly a priority that demands rigorous attention. At every possible juncture, attackers are evolving fast in this new environment. Organisations across the world need to do the same to protect both themselves and their customers.