Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Anatomy of an Attack

489 views

Published on

Every year, companies lose $100 billion to online fraud. In this deck, we detail an actual online attack by fraudsters on a prominent gaming website and how Kount identified and prevented fraudulent transactions.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Anatomy of an Attack

  1. 1. Anatomy of an Attack
  2. 2. KOUNT CONFIDENTIAL & PROPRIETARY 1. On December 27, 2012, a global top ten gamer website experienced a dramatic increase in the number of declined orders. 2. The decline rate went from the average of under 5% to over 35% 3. Kount detected and stopped a BOT attack that was attempting to infiltrate and fraudulently purchase goods on the website 4. The attack lasted approximately three days 5. During the attack and once the attack was over, the company’s website responded normally, as if nothing happened. The Attack
  3. 3. KOUNT CONFIDENTIAL & PROPRIETARY The Attack This line represents the upper limit of declines. This is calculated daily based on a 14-day trailing average of daily variations to 99%. Generally, this line is 3 standard deviations from the “decline mean” rate.
  4. 4. KOUNT CONFIDENTIAL & PROPRIETARY The Attack This line represents the lower limit of declines. This is calculated daily based on a 14-day trailing average of daily variations to 99%. Generally, this line is 3 standard deviations from the “decline mean” rate.
  5. 5. KOUNT CONFIDENTIAL & PROPRIETARY The Attack This line represents the decline rate mean. This is calculated daily based on a 14-day trailing average of daily variations to 99%. The decline rate averages between 3% - 6% based on rules applied by Blizzard.
  6. 6. KOUNT CONFIDENTIAL & PROPRIETARY The Attack This line represents the actual decline rate.
  7. 7. KOUNT CONFIDENTIAL & PROPRIETARY The Attack Note: since these lines are created from a 14-day trailing average, we see them increase as a result. These will return to normal ranges in time.
  8. 8. KOUNT CONFIDENTIAL & PROPRIETARY The Attack This line represents actual # of approvals daily. This line represents actual # of declines daily. This line represents actual # of reviews daily. Spike in sales on Christmas day, expected activity. No increase in declines, also expected activity. Spike in declines over the next three days without corresponding increase in sales, unexpected, unusual activity.
  9. 9. KOUNT CONFIDENTIAL & PROPRIETARY The Attack RANK EMAIL # TRANSACTIONS 1 XUNAN1978@LIVE.COM 4762 2 DIABLOJINKA@LIVE.COM 1349 3 PEDERAKIS22@LIVE.COM 1243 7,354 The attack was centered around three main email addresses which may indicate that a “bot” was running from hijacked or dedicated machines… Declined orders
  10. 10. KOUNT CONFIDENTIAL & PROPRIETARY The Attack RANK IP ADDRESS TRANSACTIONS 1 79.126.163.185 5739 2 79.126.172.135 1628 7,367 …and only two IP addresses
  11. 11. KOUNT CONFIDENTIAL & PROPRIETARY The Attack Each dot represents the number of attempts made per minute, sometimes averaging nearly two and a half attempts per second. This line represents the running average of attempts per minute.
  12. 12. KOUNT CONFIDENTIAL & PROPRIETARY The Attack From the email address XUNAN1978@LIVE.COM: # TRANSATION DATE/TIME TRANSACTION COUNT 1 12/27/2012 1:31:00 PM 108 2 12/27/2012 1:32:00 PM 71 3 12/27/2012 1:33:00 PM 100 4 12/27/2012 1:34:00 PM 41 5 12/27/2012 1:35:00 PM 85 6 12/27/2012 1:36:00 PM 114
  13. 13. KOUNT CONFIDENTIAL & PROPRIETARY The Attack Where did these “orders” originate? Macedonia
  14. 14. KOUNT CONFIDENTIAL & PROPRIETARY The Result Kount responded to this attack exactly how it was designed. • Detected the fraud, in real-time • Stopped the fraud, in real-time • Reported the fraud • Protected the customer • Kept exposure to fraud and fraud losses to ZERO $$$ • All done automatically, without interrupting normal business activity • This type of fraud could not have been detected using old, look-up technology
  15. 15. KOUNT CONFIDENTIAL & PROPRIETARY • World’s largest online distributor of independent music - Helps artist sell to iTunes, Amazon and Facebook • Paying out 75% commissions • Over $200 million in commissions paid • Fraudulent artists & affiliates • Charge backs/Fraud 2.5%+, $26,000 lost in one month • Reputation at stake with some partner brands Case Study – CDBaby Situation
  16. 16. KOUNT CONFIDENTIAL & PROPRIETARY Case Study - CDBaby Fraudster posing as an artist post music for sale on CDBaby.com 1
  17. 17. KOUNT CONFIDENTIAL & PROPRIETARY Case Study - CDBaby Fraudster posing as an artist post music for sale on CDBaby.com 1 Fraudster joins CDBaby affiliate program, receives 75% commission 2
  18. 18. KOUNT CONFIDENTIAL & PROPRIETARY Case Study - CDBaby Fraudster posing as an artist post music for sale on CDBaby.com 1 Fraudster joins CDBaby affiliate program, receives 75% commission 2 Using stolen credit information, Fraudster purchases music from affiliate (Fraudster) 3
  19. 19. KOUNT CONFIDENTIAL & PROPRIETARY Case Study - CDBaby Fraudster posing as an artist post music for sale on CDBaby.com 1 Fraudster joins CDBaby affiliate program, receives 75% commission 2 Using stolen credit information, Fraudster purchases music from affiliate (Fraudster) 3 Pays royalty to artist 4 Pays commission to affiliate (75%) Pays fines, chargebacks
  20. 20. KOUNT CONFIDENTIAL & PROPRIETARY Case Study - CDBaby • Reduced fraud by 96% • Results in less than 30 days • Fraud losses average $850/mo. • NO loss in revenue • Enhanced marketing opportunities • Great relationship with iTunes
  21. 21. KOUNT CONFIDENTIAL & PROPRIETARY Questions Don Bush VP, Marketing, Kount 208.489.3346 don.bush@kount.com

×