How to Identify Fraud as a Service Attacks

Spotting the Signs of a Coordinated Attack

Fraud as a Service attacks aren’t always loud and obvious. In fact, the most dangerous ones are designed to blend in with your normal traffic until it’s too late.

Nonetheless, FaaS operators do leave behind clues if you know where to look. Certain red flags signify a coordinated operation rather than a one-off scammer. With sharp eyes and vigilance, you can learn to differentiate FaaS attacks from the rest.

In this article, we expose these warning signs and show you what to look for. We also outline a response plan you can use to keep an FaaS attack from morphing into a full-blown financial disaster.

FaaS Red Flags

To identify a FaaS attack, you’ll need to look past individual transaction data. It’s more important to focus on links and fraud patterns. Unlike a solo scammer, FaaS operations may leave behind digital fingerprints: little clues stemming from the tools that make their bogus services scalable.

The biggest tip-off  is conformity. If you start seeing indications of uniform behavior across seemingly unrelated accounts, there’s a decent chance you’re looking at a FaaS attack. Let’s look at some potential red flags to know about:

FaaS crooks often use pre-configured virtual machines or “headless” browsers. These are browsers that have no human interface to slow down processing. The result can be hundreds or thousands of non-existent customers with identical hardware configurations.

Individual IPs may differ, of course, and the fraudster might use fingerprint randomization. Still, a tsunami of shoppers with a consistent device fingerprint is highly unlikely. In all probability, it’s the output of a single FaaS script being run at a massive scale.

FaaS bots are optimized for speed, but that can also give them away. To work faster, they’ll often skip the human parts of the shopping experience, like hovering over images or reading reviews.

Look for a pattern. If you’re seeing a high number of “shoppers” that move from login to checkout with zero mouse movement, make sure there are real accounts behind those customers.

This one is a little more technical. Sophisticated FaaS providers often use proxies that match login locations with zip codes tied to stolen credentials. That’s a smart move, but the crooks may fail to account for local internet service provider (ISP) infrastructure. 

In practical terms, that means you watch out for a perfect address match that’s routed through a data center IP rather than a residential one.

FaaS Response & Recovery Plan

Responding to a FaaS attack is different than it would be for other types of fraud. You still need to act immediately, but your priority should be containment, not a hard block. Here’s why: abruptly cutting off a botnet could alert the FaaS operator. If they know you’re on to them, they may abort the attack, but they could also simply adjust their script and re-attack.

Instead, soft-declines, secondary verification loops like multi-factor authentication, and velocity checks at checkout can help you throttle the speed of the attack. That can give a brief respite to harvest evidence for filing a report with your local law enforcement agency or the FBI’s Internet Crime Complaint Center (IC3). Hard, well-documented evidence may help authorities if they try to trace the attack back to the service provider.

For long-term prevention, however, you should treat the fallout of a FaaS attack as a data integrity issue rather than just a financial loss. Work with your fraud prevention partners to conduct a post-mortem. Identify which filters were bypassed so you can resolve that issue. Act fast, before the FaaS provider can sell information on your vulnerability to another buyer.

Finally, documenting the attack can also help you build a stronger case for representment. That may, in turn, enable you to recover at least some of the revenue you’ll lose to the chargebacks that will inevitably follow the attack

Next Chapter

How to Prevent Fraud as a Service Attacks

Read More