There was an 85% year-on-year increase in attacks targeting logins or account creation in 2021 as bot-driven fraud attempts soared, according to Arkose Labs.

The fraud prevention firm analyzed over 150 billion transaction requests across 254 countries across the 12-month period to compile its latest report, The 2022 State of Fraud and Account Security.

It found one in four newly created accounts were fake, one in five logins was an account takeover (ATO) attempt and a fifth (21%) of all traffic was linked to fraud.

ATOs are commonly used to steal personal and financial data or launch phishing attacks. Fraudulent new accounts could be used for “inventory hoarding, content scraping and sending spam and phishing messages,” according to Arkose Labs CEO and founder, Kevin Gosschalk.

“As expected, businesses that hit high-growth periods in 2021 saw an increase in attack. For example, gaming saw sky-high attacks in 2020 but leveled off in 2021, which led to attacks dispersing across other industries,” he told Infosecurity.

“Online media and entertainment continued to grow in popularity, bringing more in-platform spam and scam attacks. Attackers flocked to the travel industry to take advantage of scraping and inventory hoarding opportunities as the world shifted more toward post-pandemic normalcy.”

Driving most of these attacks is the use of intelligent, automated bots. Arkose Labs claimed that today’s bot signatures are three times more complex than those of previous years, making it even harder to discern real human behavior imposters.

Some 86% of attacks in 2021 were linked to bots, while bot-driven credential stuffing attempts peaked at 76 million per week. The Black Friday/Thanksgiving month of November was the worst hit.

The worst attacked sectors in the UK in 2021 were online gaming, accounting for 46% of all attacks, then social networks and online streaming sites, which comprised a third of malicious activity

The Russian authorities are claiming to have arrested a third cybercrime group following previous high-profile detentions.

The six individuals were detained in different regions of the country and have “special knowledge in the field of international payment systems,” a source told the state-run TASS news agency.

They are suspected of committing vaguely worded technology and online-related crimes. However, the report claimed that the Ministry of Internal Affairs is asking Moscow’s Tverskoy Court to detain the six under part two of article 187 of the Criminal Code of the Russian Federation.

This relates to making counterfeit cards and other payment “documents” by an organized crime group. That makes it likely they are involved in payment fraud or other parts of the cybercrime supply chain, like carding forums.

According to the report, the detained are Denis Pachevsky, general director of Saratovfilm Film Company; ‘entrepreneur’ Alexander Kovalev; Transtechcom employee, Artem Bystrykh; Get-net employee, Artem Zaitsev; and two people described as unemployed, Vladislav Gilev and Yaroslav Solovyov.

The news follows two major cybercrime busts since the start of the year in a country known for turning a blind eye to law enforcement in this area.

The first involved 14 alleged members of the REvil group, or at least its affiliates. The second, just over a week later, was of four suspected members of the infamous InFraud group, including its alleged founder Andrey Novak.

During its seven-year reign, the latter group reportedly made as much as $568m by running a popular marketplace for carders.

Although there are no signs Russia is planning to extradite any of these individuals if found guilty, the REvil raid, in particular, appears to have been conducted with intelligence and cooperation from US law enforcers, which is a rarity.

However, some commentators have suggested the arrests are more of a propaganda stunt by the Russian state and that its basic strategy remains the same: allowing cybercrime to flourish in the country as long as it’s directed at foreign victims.

Meta has said that it “will likely” stop Facebook and Instagram from operating in Europe unless the company is allowed to transfer, store and process Europeans’ data on servers based in the United States.

The possibility of the social media networks being withdrawn from the continent was included in Meta Platforms, Inc.’s annual report to the US Securities and Exchange Commission on Thursday.

Meta claimed that processing user data transnationally was vital for its business and targeted advertising. 

The company said: “​If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads.”

Previously, Meta operated under an EU-US data transfer framework named the Privacy Shield, but the European Court of Justice invalidated the treaty in July 2020 over data protection violations. While a successor arrangement to the Privacy Shield remains under negotiation, companies in the United States have had to execute standard contractual clauses (SCCs) to send or receive data to the EU. 

In August 2020, a draft decision from the Irish Data Protection Commission (IDPC) preliminarily concluded that Meta Platforms Ireland’s reliance on SCCs in respect of European user data does not achieve compliance with the General Data Protection Regulation (GDPR). 

In light of this finding, the IDPC proposed that such transfers of user data from the EU to the US should be suspended. A final decision in this inquiry is due to be issued in the first six months of 2022. 

Meta stated in its report that: “If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.”

Publishing company News Corp has disclosed that it was the victim of a cyber-attack last month.

Threat actors compromised email accounts belonging to journalists and other employees at the company, which Australian-born American media tycoon Rupert Murdoch owes. 

In an email sent to staff members on Friday and viewed by The New York Times, News Corp’s chief technology officer David Kline wrote that “a limited number” of email accounts and documents belonging to News Corp headquarters, News Technology Services, Dow Jones, News UK and The New York Post had been impacted by the incident. 

The security incident was discovered on January 20. It was reported to the relevant authorities and is now being investigated by US law enforcement and by cybersecurity firm, Mandiant.

Kline wrote that the attack is believed to have originated from outside the United States. 

“Our preliminary analysis indicates that foreign government involvement may be associated with this activity, and that some data was taken,” wrote Kline. 

“Mandiant assesses that those behind this activity have a China nexus and believes they are likely involved in espionage activities to collect intelligence to benefit China’s interests.”

Commenting on the attack, iboss CEO Paul Martini said: “This is an early example of what we believe will be a broader escalation of cyber-attacks by nation-state actors in the coming year.

“Just days ago, the FBI labeled Chinese cyber aggression more ‘brazen and damaging’ than ever before and we’re seeing that play out in real time.”

Martini conjectured that the attack was part of an “intelligence gathering campaign that could have broader impacts on US journalism and politics for years to come.”

Liu Pengyu, a spokesman for the Chinese Embassy in Washington, reportedly wrote in an email: “We hope that there can be a professional, responsible and evidence-based approach to identifying cyber-related incidents, rather than making allegations based on speculations.”

Tripwire’s VP of strategy, Tim Erlin, commented: “Cyber-attack attribution is extremely difficult, and while the casual reader may draw the conclusion here that China is responsible (which may be true), it’s worth noting the language that Mandiant uses. 

He added: “The term ‘China nexus’ and the phrase ‘benefit China’s interests’ are both ways of softening the conclusion. In these types of reports, language matters.”

The Washington State Department of Licensing (DOL) has shuttered its Professional Online Licensing and Regulatory Information System (POLARIS) after detecting suspicious activity. 

POLARIS stores information about license holders and applicants. The type of information varies for different licenses and may include Social Security numbers, dates of birth, driver license numbers and other personally identifying information (PII).

In a statement posted to its website, the DOL said it became aware of unusual goings involving professional and occupational license data during the week commencing January 24 2022. The decision was taken to shut down POLARIS as a precaution while the activity was investigated.

The department said the Washington Office of Cybersecurity was assisting in the safe recovery of the system and in the investigation to determine whether a data breach had occurred. 

“At this time, we have no indication that any other DOL data was affected, such as driver and vehicle licensing information. All other DOL systems are operating normally,” stated the DOL.

It added: “With the support and assistance of nationally recognized cybersecurity experts, we are investigating what happened and what data and people may be affected.”

The department has created an Intent to Renew form to help those professionals who have tried to renew their licenses while POLARIS is down. A call center was set up on February 4 to answer questions by individuals who were impacted by the outage.

DOL has said it will not act against individuals whose license expired while POLARIS was inaccessible.

The department issues over 40 types of licenses. These include driver and vehicle licenses and professional licenses for cosmetologists, real estate brokers, architects, driving instructors and bail bondsmen. 

DOL said that the security incident only appeared to potentially impact professional and occupational license data.

“At this time, we are not aware of any suspicious activity involving other DOL systems, such as the driver and vehicle licensing system (DRIVES),” stated the DOL.

“DRIVES is operating normally. We are monitoring all our systems very carefully.”

The department said it will notify any individuals whose personal data was accessed during the incident and provide them with “further assistance.”