Tracking manual attacks may deliver zero-day previews

Differentiating between manual and bot attacks, and homing in on human ones in particular, can give security professionals a leg up on combatting fraud attempts versus corporate systems.

According to a report released Thursday by LexisNexis Risk Solutions, last year automated attacks (aka bots) did not see nearly the same increase (2%) as manual/human attacks, which soared by 19%. The report’s insights on digital fraud attacks were based on an analysis of 92 billion transactions.

A cybercrime specialist not affiliated with the report said that the human versus bot attacks figure reported by LexisNexis was not surprising, but it does suggest an important tactic for CISOs to consider, given the rise in manual attacks revealed by the study.

Automated bot attacks are extraordinarily more efficient than human ones, said Matt Harrigan, a VP at Leviathan Security. 

“You don’t need to increase the quantity of bots at nearly the same rate that you would need to increase manual attacks,” Harrigan said, of the differing methods attackers use to compromise systems. 

But these days, Harrigan said, attackers are overwhelmingly using manual attacks and automated attacks for very different purposes. Manual attacks are typically used for trying out new attack vectors. And if those attack methods succeed, it becomes a zero-day that will be visiting CISOs in a few days. Bots are then used to launch that new attack in massive volumes. 

That means that CISOs should make sure that systems are trying to differentiate between automated and manual attacks. And to then examine manual attacks very carefully, Harrigan said.

CISOs should “spend extra time” examining the manual attack attempts, he said, as doing so may give the security operations center a sneak preview of a zero-day, thereby giving them the ability to tweak defenses to try to thwart an imminent attack conducted potentially at scale by follow-on bots. 

“Every time [an attacker] knocks off a piece of armor, somebody figures out how to make a better piece of armor,” Harrigan said. “It’s always a cat and mouse game.”

The LexisNexis Risk Solutions report — available here — also identified the 2023 geographies must likely to have launched attacks as “parts of Southeast Asia [that] are established homes for dedicated remote scam centers. Cybercriminals favor border areas in Cambodia, Myanmar, and remote parts of Thailand.”

Addressing fraud and scams, rather than cybercrime in general, the report noted several trends over the past few years.

“In APAC, third-party account takeover has become even more dominant than in 2022, driven by a relentless scam pandemic across the region which for now is primarily fueling subsequent unauthorized fraud attempts, in contrast with the authorized transfer scams seen in EMEA,” LexisNexis researchers wrote. “Bonus abuse worsened in both EMEA and LATAM, linked to both gaming and gambling and ecommerce. North America saw significant YOY percentage growth of true identity theft in 2023, offsetting a decline in third-party chargeback fraud as a percentage of all classifications.”

The report also noted an ongoing security weakness with mobile devices, which suffered the greatest attack rate growth, prompting LexisNexis Risk Solutions to label the mobile channel “the least secure.”

“The lightweight nature of mobile browsers limits the availability of digital intelligence and risk signals, a boon to attackers relying on ambiguity,” according to the report’s researchers. “The preponderance of mobile app transactions makes that channel’s comparatively muted attack rate growth more concerning for organizations meeting consumer demand for mobile experiences overall.”