< Back
Episode #
107

PayPal's Blake Butler on Finding Fraud Signals in Uncleaned Data

PayPal's fraud team catches credential stuffing before money moves by watching business intelligence signals that most organizations overlook: explosive traffic growth to legacy endpoints, mismatched phone numbers against account creation locales, and anomalies hidden in raw uncleaned data. Blake Butler, Senior Manager & Head of Fraud Threat Intelligence, applies infrastructure analysis techniques from offensive security to fraud investigations. This fills the gap most organizations face: anti-fraud teams understand scam mechanics but lack technical depth, whereas infosec practitioners know infrastructure but not how criminals monetize accounts at scale.

Blake breaks down how phishing kits now bypass MFA through real-time automation. His detection philosophy: counting and explosive growth patterns beat machine learning for uncovering fraud. Data scientists clean away the signal.

Topics discussed:

  • Applying offensive security infrastructure analysis methods to fraud threat intelligence investigations
  • Detecting credential stuffing and account takeover campaigns through anomalies in account creation regions, phone number locales, and explosive traffic growth
  • Understanding how modern phishing kits automate real-time OTP theft by integrating directly into legitimate platform APIs during password resets
  • Tracking massive fraud operations emerging from China and South America through business intelligence signals
  • Identifying fraud indicators in uncleaned data: extra spaces, unrenderable characters, and AI-generated webshop metadata artifacts
  • Building security communities to enable monthly collaboration with local practitioners on emerging threats and tool development
  • Bridging the critical talent gap between anti-fraud teams lacking technical infrastructure skills and infosec practitioners without fraud monetization expertise
  • Evaluating phishing-as-a-service platforms and encrypted communication tools that lower barriers to entry for criminal actors

Key Takeaways: 

  • Monitor explosive traffic growth patterns to legacy endpoints and unusual account creation regions to detect credential stuffing.
  • Analyze raw uncleaned data for fraud signals including extra spaces, unrenderable characters, and metadata artifacts.
  • Apply infrastructure analysis techniques to fraud investigations to identify phishing domains and criminal tooling.
  • Track mismatches between phone number locales and account creation regions as indicators of automated account generation.
  • Investigate anomalies in business intelligence metrics through simple counting before deploying MLMs to uncover emerging fraud trends.
  • Build fraud threat intelligence teams that combine offensive security backgrounds with fraud monetization expertise to fill the critical industry talent gap.
  • Attend security community meetups to collaborate with local practitioners on emerging threats between annual conferences.
  • Implement MFA while recognizing that advanced phishing kits now automate real-time OTP theft through direct platform API integration.
  • Hire candidates with infosec infrastructure knowledge who understand how criminal actors use tooling to automate credential stuffing and account monetization operations.

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website