U.S. retailers are racing to finish a holiday season during which they came under an unprecedented series of online fraud attacks launched by a shadowy criminal enterprise that made off with an estimated $660 million in stolen laptops, cell phones, computer chips, gaming devices and other goods in the month of November alone.
The fraud ring, whose operations appear to be based in Southeast Asia, operates with the sort of sophistication typically associated with a Fortune 500 company, exhibiting expertise in the fields of data science, fraud detection, online payments and ecommerce operations.
“What was unique about this fraud ring was that they revved up really quickly. They’re fast and strong,” said Ping Li, Signifyd vice president of risk and chargeback operations. “They probably had been preparing for it for a long time and then they launched a war just before our holiday season.”
- The sophisticated fraud ring stole an estimated $660 million in goods from U.S. ecommerece enterprises in the month of November alone.
- Much more was at risk. Fraudulent orders targeted an estimated $3.3 billion in products.
- The fraud ring appears to be operating out of Southeast Asia and displays expertise in ecommerce, payments, fraud protection and logistics.
Signifyd first detected activity it now attributes to the ring more than a year ago, Li says. Like a burglar casing a home, the Southeast Asian fraudsters lurked online and launched small attacks to test the vulnerabilities of various merchants and to better understand the protections put in place by retailers and by a number of third-party fraud protection providers.
Early fraud attacks were reconnaissance missions
Those early attacks were quickly extinguished and resulted in relatively small losses, meaning the fraud ring did not draw widespread attention to itself. Li says now risk intelligence experts at Signifyd are convinced those attacks were practice runs — a chance to test what works and what doesn’t when launching a larger attack.
In early November, those larger attacks arrived with a vengeance, targeting billions of dollars in products in quick succession. Many of the fraudulent orders were turned away by Signifyd’s Commerce Protection Platform due to detected fraud, but the numbers were staggering.
At its height, the fraud ring was attempting more than one fraudulent transaction a minute at one large merchant on Signifyd’s network. The pace kept up for a full day. The vast majority of those orders were turned away, but nationally the attacks have been devastating.
Based on an analysis that examined fraud attempts on Signifyd’s Commerce Network and applied similar activity to the Top 100 U.S. ecommerce retailers, Signifyd estimates that the fraud ring made off with $660 million in goods in the month of November alone.
Much more was at risk of being stolen during the rapid-fire attacks. Overall, using the Top 100 methodology, Signifyd estimates the fraud attacks placed $3.3 billion in U.S. ecommerce goods at risk during November, generally the busiest shopping month of the year.
The fraud ring was determined to keep up the pressure
Elevated waves of attacks persisted through Black Friday and into early December. As Signifyd’s machine-learning fraud protection models would block fraudulent orders, the fraud ring would carefully adjust its tactics to work around the protection, displaying increasing sophistication as it went.
Just where did this attack rank in terms of size, scope and persistence
“To me, this is No. 1. This is the first time I have seen an attack of this size and scale in our network. ”
Ping Li, Signifyd vice president of risk and chargeback operations
“To me, this is No. 1,” says Signifyd’s Li, who’s studied fraud and fraud trends for nearly two decades. “Normally, when we see an attack on one merchant, the attack has its own characteristics. And then you see a very different kind of attack on another merchant. But this one is just universal. It’s everywhere. This is the first time I have seen an attack of this size and scale in our network.”
Discussions with merchants and other fraud professionals indicate that the attack is widespread — well beyond Signifyd’s network of thousands of retailers.
An operation with this fraud ring’s level of reach requires a highly sophisticated group dedicated to analyzing fraud defense systems, a steady pipeline of stolen log-on credentials and identities, teams that organize the shipping and reshipping of the products it obtains illegally and a field operation that can resell the goods.
So brazen they left a calling card
The Southeast Asian ring seems little concerned about being recognized, forgoing efforts to conceal traits in their illegitimate orders that point back to the fraud ring, Li said. For instance, it regularly uses distinctive, repeated names in online checkout forms.
“They kind of leave their signature,” Li says. “They are not really trying to hide. It’s like, ‘Catch me if you can.’”
Signifyd has been able to shut down the ring among the merchants it serves and swiftly respond to new adaptations of the attacks. Because Signifyd provides commerce protection to thousands of merchants on its Commerce Network, its machine learning models can identify attack patterns at one merchant and adjust protection across the network to avoid losses elsewhere.
Given the modus operandi of the Southeast Asian fraud ring, however, the work to stop it is not finished. No doubt, its leaders are out there recalibrating, regrouping and reviewing their options for their next wave of attacks.
“They’re still trying,” Li says. “They will come back. And they will test you to see if your guard is down.”
Interested in learning about the network effect in fraud protection? Let’s talk.