Black Friday Merchants Brace For ShapeShifter Attacks

It was Friday, November 25th 2022. When Karisse Hendrick woke up, she knew something was wrong. Her phone was blowing up with text messages ? – one after another.

Fraud was going haywire and merchants were letting her know.

Black Friday is always bad, but this was one was different. The fraud attacks were coming in faster than ever before.

And to make matters worse, some of their vendor fraud tools were crashing when they needed them most.

The merchants were concerned. This didn’t look like something they had seen before. So they turned to a trusted resource they knew could help them coordinate – Karisse.

They needed to do something fast.

Coordinated Attacks That Began Slowly

As the day progressed, Karisse began to help the merchants coordinate and figure out what to do.

And as it turns out, the fraud attacks had been emerging slowly for two months, starting in September. They emerged as a coordinated attack against a small group of contained merchants, and then they would quickly move to another group of merchants.

In hindsight, they were preparing for Black Friday by perfecting their craft.

Shoshana (Karin) Maraney outlined the plot in this ? LinkedIn story one week later. I recommend you read the article because it outlines the scheme beautifully and details how it worked.

Maraney described the attack as “A large-scale attack across merchants and industries in the USA, mainly based in triangulation attacks but also using a combination of other techniques including mules, account takeover and address manipulation.

The fraud rings combined multiple fraud schemes into one and bombarded merchants on the busiest shopping day of the year.

The Master Manipulators

The merchants gave the fraud rings a name ? The Master Manipulators.

The group appeared well-funded and organized and knew exactly what they were doing. Using primarily triangulation fraud and address manipulation, they were finding ways to skirt fraud systems in real time.

More worrisome, however, was how quickly they could change their tactics on a dime. They were probably communicating second by second, changing their methods.

Coordinated DDOS Attacks To Disable Fraud Systems

In addition to attacks on merchants, many suspect that the fraudsters lobbed attacks at fraud vendors simultaneously.

What better way to get fraud to go unchecked than disabling fraud systems.

Fraudsters and hackers figured out the best way to steal was by disabling the technology the company relies on to prevent it.

Fraud rings appeared on DDOS vendor APIs, causing those systems to become temporarily unavailable. Once those systems became disabled, the fraud rings could push their transactions through far more quickly because the fraud analyst didn’t have access to the tools.

Fraudology – This Will Change Fraud Fighting Forever

If you are intrigued at the dawn of these shapeshifting fraud attacks, I highly recommend you capture these two Fraudology episodes that dive into the problem in detail.

This should be required reading in advance of Black Friday.

This is Episode 1

And This is Episode 2

Merchants Are Bracing For Deja Vu This Black Friday

Are the fraud rings biding their time, ready to pounce again this Black Friday? Some believe so.

Some merchants are bracing and preparing for another wave of AI based attacks this year as shopping winds up.

Some are monitoring precursor attacks like the ones that occured last year to identify if larger attacks might happen this Black Friday.

Nate Kharrl with Spec is one of those people. His firm is monitoring for highly scalable AI attacks, which could take place this year.

Don’t Block Fraud Attacks – Trap Them

In a LinkedIn post, Kharrl offers some unusual but very insightful advice – don’t block the transactions. That gives fraudsters the intel they need to adjust their attacks.

He says, “Blocking actions teach an AI attack tool. You need a mechanism to trap them without them knowing it. Block actions will give you a temporary reprieve but automatically make the attacker smarter. By all means, block and decline if that’s the only tool you have, but you’ll be leaking data that strengthens your attacker. Devices are easy to simulate, IPs are a dime a dozen, behaviors can be changed – blocking is a temporary fix that AI “learns around” very quickly.”

Karisse Is Concerned Dress Rehearsals Have Already Started

It’s not a matter of “if” the attacks will occur, according to Hendrick they have already started.

In a solo episode of this ? fraudology podcast she outlines new AI Bot attacks that look like they are originating from the Master Manipulators.

Several merchants have reported that AI bots hit their systems hard for 24-48 hours and then disappeared. They suspect that these bots are connected to the same Southeast Asian fraudsters from last year because some of the addresses are the same from last year.

In what can only be described as Deja Vu all over again, several vendors fraud systems have experienced outages similar to the DDOS attacks that occurred last year.

Don’t Put Your Fraud Strategy On Auto-Pilot For Black Friday

If you work for a retailer and are concerned, Karisse Hendrick’s has advice: Don’t put your fraud strategy on auto-pilot. Make sure you are dynamically monitoring your fraud and adjusting strategies appropriately.

And if you need a consultant, there is no one better with more knowledge than Karisse Hendrick. Contact her at [email protected]

Good luck this Black Friday!