Security Experts:

The Path of Least Resistance Beats the Road Less Travelled

Attackers May be Looking for the Path of Least Resistance, But There is No Shortcut to Securing your Platform

The “path of least resistance” is an often-used term in the context of cybersecurity, especially to describe how hackers identify and attack the weakest link in the defense. For modern online fraud attacks, this is even more of a battle. Not only are there new attack vectors with every feature introduced on online services, but fraudsters are also constantly devising new ways to evade detection - both through weaknesses of existing security solutions and by blending in with the other millions of normal users.

The commoditization of the underground economy plays a large part in creating multiple “paths” of lower resistance. Suppliers provide different services for various aspects of the fraud operation, most of which are designed to bypass specific defense measures. In the business of fake account creation alone, there are online SMS services providing disposable virtual numbers to bypass phone verification, throwaway emails that allow messages to be received at random temporary addresses to bypass email verification, and CAPTCHA solvers (many manned by human laborers in Southeast Asia) that cost as low as $0.50 for 1000 images. In addition, anonymous proxies, VPNs, and cloud hosting services allow traffic to appear from different locations, defeating blacklisting or IP-based rules. These services, executed at scale, significantly lower the cost of fraud campaigns as well as reduce the barrier of entry for up-and-coming fraudsters-to-be.

Creating fake accounts is one way, but there are other effective entry points to the modern online service. Almost every online platform has a way to reach, direct message, or otherwise engage with other users. Couple this with the wealth of public information about individual users (e.g., online profiles give away a user's job history, restaurant preferences, who their friends are and where they live, among other information), and fraudsters have the perfect weapon to attack the weakest link - people - by crafting ever more convincing phishing messages. Compromised accounts contain valuable information such as financial data, and their activities are less likely to raise the suspicion of security solutions. Despite an increase of public awareness of phishing, it remains a main attack vector for compromising user accounts - it is easy to deploy, and incredibly effective.

The easiest path may not be the most obvious. As online services step up account security measures and enforce second-factor authentication checks, it became much more difficult to take over existing accounts. In this case, attackers found a completely different shortcut. The vulnerability in the SS7 protocol recently made headlines, where cybercriminals compromised bank accounts by hijacking SMS messages sent to victims’ phones to bypass second-factor authentication. The vulnerability exists in the underlying communication protocol used by telecom companies to set up calls across networks, and could also be abused to eavesdrop on calls or track users. This is a much easier path than breaking one-time passcodes in SMS verification messages.

It is not always about the attack techniques, however. The path of least resistance is manifested in other aspects of the attack operation as well, including the tools fraudsters use to launch attacks. In a recent analysis of more than 500 billion events collected from multiple global online services, 83 percent of fake accounts login to online services from desktop machines, with only 18 percent from mobile devices. This is the opposite of normal users, who mostly access online services from mobile devices thanks to the pervasiveness of wireless communication and the many convenient mobile-specific features offered on online services.

What makes desktops more attractive to fraudsters? It is much easier to commit fraud from desktop machines than mobile devices. There is no reliable fingerprint that can be used to track web visitors. Creating the appearance of a “different” user can be as simple as clearing browser cookies, spoofing user-agent strings, and/or switching to another IP address, which can all be performed cheaply at scale by scripts. By contrast, mobile apps sit directly on the device and can collect more accurate device identifiers or monitor user behavior within the app. This makes it significantly harder for fake accounts to evade detection. 

A similar observation can be made for the fraudsters’ preferred mobile platforms and device models. When the online service is mobile-only, fraudsters will choose to launch attacks from Android platforms over iOS, due to the flexibility of Android’s open architecture that makes it easier to deploy attack tools. There are also more apps available for Android systems compared to iOS, some of which are specifically designed to spoof GPS location services on the device, forge network requests, automate human-like activities, or provide other functionalities convenient for conducting fraud. What about when fraudsters want to attack iOS-specific apps? Since it is much harder to emulate iOS devices, fraudsters have to own physical phones. In this case, they will choose older iPhone models because they are much cheaper and likely to be running old OS versions that are easier to jailbreak. In our analysis, two-thirds of fraudulent accounts that originated from iOS devices use older models like the iPhone 5, 5c, and 5s.

People will opt for the path of least resistance when given a choice, and fraudsters are no different. We see this happening over and over again in the security arms race, where an overlooked side door is targeted to bypass the locked front entrance. However, fraudsters need to first find that side door. They often test out their attack in small batches to find loopholes. To protect the online service from such attacks, it is important to pay attention to unexpected behaviors that deviate from those of normal users - they could be tell-tale signs of potential flaws or an eminent larger threat. The attackers may be looking for the path of least resistance, but there is no shortcut to securing your platform.

view counter
Ting-Fang Yen is a research scientist at DataVisor, a fraud and financial crime detection service utilizing unsupervised machine learning to identify attack campaigns before they conduct any damage. She received her PhD in Electrical and Computer Engineering from Carnegie Mellon, focusing on the detection of malware communications by applying statistical models and machine learning. She was previously a threat scientist at E8 Security, and principal research scientist at RSA and led projects analyzing enterprise log data to identify malicious insiders and intrusions.