Payment Fraud Detection: How ATO and Phishing Kits Drive Modern Abuse

Fraud is rapidly changing. No longer can organizations rely on siloed fraud teams for payment fraud detection, separate from threat intelligence.

Blake Butler, PayPal’s Head of Fraud and Threat Intelligence, joined Eli Woodward on the Future of Threat Intelligence podcast to discuss his view of how these two sources of intelligence should be unified. In their discussion, they talk through the connections between fraud and threat intel, payment fraud trends, how to identify fraudulent activity, threat actor methods, and what the future of fraud could look like. 

Why Fraud + Threat Intelligence Need to Work as One Team

Traditionally, threat intelligence is focused on technical topics like network defense, VPN security, in and outbound connections to organizational systems, and data exfiltration. On the other hand, fraud threat intelligence would focus on understanding the methods and techniques adversaries use to monetize or abuse consumer accounts or the targeted industry. 

While these two teams seem to be focused on different aspects of risk, Butler believes there is a connection between them related to how attackers are currently carrying out their operations. Specifically, there is now demonstrated overlap between the tools and techniques attackers use in offensive security space as well as in the fraud space. 

“What we're trying to do is we're trying to better understand the tools, the strategies, the methods that are being used to abuse consumer accounts or just abuse the industry as a whole,” says Butler. “So I think…there's this really interesting nexus between information security and fraud.” 

For example, Butler notes that attackers are using tools to automate gaining access to accounts or carrying out specific events or activities once they gain access. Combining teams brings deeper expertise across the attack pattern, from the technical tooling to the wider information regarding how money is stolen and moved after initial access is achieved. 

What Signals Actually Work: Anomalies, Spikes, and “Unclean” Data 

Payment fraud detection can be extremely difficult, and Butler notes there is no one specific sign of fraud. Instead, organizations need to pay attention to a wide range of indicators that could showcase fraud and abuse. 

Methods of detecting and identifying fraud will differ depending upon the types of abuse being carried out; what works for detecting account takeover may not work for payment fraud detection or fake stores and credit card information harvesting. 

In general, Butler and his team found looking for the following signals help identify fraud and abuse:

• For phishing, analysts look at infrastructure, domains, and where impacted data may be siphoned
• Customer complaints, such as never receiving an item, can help identify fake web shops
• Business intelligence methods, like counting, which determines the number of accounts being created from a specific region or infrastructure and can help spot emerging fraud trends
• Explosive growth of traffic or anomalies in traffic or data, which could signal fraud and abuse 

Butler notes that he prefers that he does research on data that has not yet been normalized, as the normalization of data can remove the very signals he is hoping to find that indicates a growth in abuse. 

“I think a lot of the times when you're cleaning data, ou're doing this to normalize it so that you can better feed it into a model or better understand sort of the outcomes when you run something over that data,” says Butler. “But I think in many cases data normalization can actually remove signal because in many cases there are anomalies within the data that's being provided.”

Payment Fraud Trends: OTP Theft and Phishing-as-a-Service 

Threat actors are increasing their overall attack sophistication in the fraud and abuse space as they leverage various fraud schemes. This is the continuation of an evolution of phishing from a relatively simple attack method into something significantly more complex. 

This evolution of phishing has led to a shift in methods and objectives, moving from just stealing money or personal information to account takeover activity, money laundering, and initial access into an organization. 

“You're almost creating like a super bug where as you continue to develop defensive measures, as you continue to spray that pesticide over your plants, the bugs become more resilient,” Butler says regarding the changes in the phishing ecosystem he has seen. 

One of the most impactful methods Butler has observed is the integration of phishing pages into front-end platforms. This allows attackers to steal one-time passcodes (OTPs) by automating a login or password reset on a legitimate site and asking the user for the OTP sent by the real organization. 

As attackers increase their sophistication, the barrier to entry has also dropped. The rise of “as-a-service” models means that even unsophisticated attackers can now carry out sophisticated phishing attacks by employing phishing-as-a-service products. 

What Does the Future of Fraud Look Like? 

Just as members of the fraud and cybersecurity community realize the value of working together and across siloes, fraudsters and criminals are coming to similar realizations, according to Butler. This increases overall criminal collaboration. 

Like every other aspect of security, AI is also influencing the fraud world. Large language models like ChatGPT help generate convincing phishing content at scale, lowering the barrier for entry and increasing the likelihood of attacker success by removing telltale signs of phishing. 

Butler also noticed fraudsters using AI to generate images for fictitious, non-existent items on fake web shops, as well as using AI to generate the code for entire fraudulent websites hosting those fake items. With little effort, attackers can now stand up entire fake e-commerce pages to convincingly scam end users and harvest their payment information or steal their funds. 

This rise in fraud sophistication necessitates, in Butler’s view, a rise in the technical ability of fraud analysts. Ideally, Butler wants to see analysts in the anti-fraud space be equally comfortable and have backgrounds in both information security and fraud.

You can listen to the entire podcast at Apple podcasts, Spotify, YouTube, or on the Team Cymru website.