The holiday season of 2022 was an active one for fraud. It stood out, not just in the context of the year but compared to other holiday seasons. For many fraud teams, it will evoke memories of stress and disbelief as fraud fighters battled some of the most coordinated and well-planned fraud attacks in years.
For me, it will be the year of the bullet we dodged without realizing it. The reasons for this have turned out to be fascinating, with valuable lessons about the future of online fraud and fraud attacks.
Holidays 2022: The Season of the Master Manipulators
In the 2022 holiday season, merchants across the U.S. started seeing a large fraud ring attacking in a sophisticated manner and at scale.
The fraudsters had a multi-staged attack process, first trying guest checkout, then, if unsuccessful, moving to ATO before attempting to manipulate Customer Support if ATO was difficult, and so on. The attacks on merchants weren’t even the first step in the scheme; many attacks were triangulation-based, so the start of the attack was online marketplaces and what looked like legitimate independent stores.
The attackers had worked out ways to get around shipping address validation, including simple but effective techniques like writing the numbers as words, putting part of the address in the “name” field, using non-ASCII characters, etc. They started being referred to as “the Master Manipulators” by the group of retailers brought together by Karisse Hendrick to identify and fight the attacks — because they were so good at manipulating a business’ processes, fields, and procedures.
If you’re a U.S.-based physical goods merchant, you’re probably familiar with the attack already. If you’re outside the U.S. or not in physical goods, this is worth knowing about so you can protect your business if the Manipulators try to hit you next.
A lot was going on during the holiday season. But I didn’t see any of this. The first I heard of it was from industry experts and peers. Which led me instantly to the question: why weren’t Forter’s customers being attacked?
The answer turned out to be fascinating.
Researching “Phase Zero”
When the Master Manipulators struck big in the holidays, it was clear they’d been preparing for the attack for some time. They knew how individual retailers’ protections and standard processes worked and where vulnerabilities might be. They even had plans to step up the attack when an initial wave had been identified and blocked.
To get that good — and that knowledgeable — they needed practice. As I’ve discovered, they practiced until they were click-perfect — starting their research against sites whose goods they didn’t want. And they started well before the holidays. They kicked off this campaign back in August.
They were trying to steal food.
Peeling Back the Layers
At the time, the discovery of a complex fraud ring attempting thousands of orders to multiple orders across the USA was simply interesting. If you’ve worked with fraud analysts for long, you’ll know that there are few things we love more than untangling a clever scheme, admiring the cunning that goes into it, and shutting it down.
Since this was in August, which is often quite quiet in most industries, there was time to appreciate the skill involved, analyze everything to death, and move on. In hindsight, though, many of the details we uncovered then were significant in foreshadowing the attacks that were to come — and pointing to some important factors about this group as we move into a new year.
- Address manipulation: Even in August, they tried different ways of getting around address verification tools and techniques. We say them adding gibberish or text (“delivery to my home”) before the actual ship address in the ship address field, avoiding using numerals, and so on — in a clear attempt to prevent linking multiple orders sent to the same ship address.
- The geographical element was easily visible in these early attacks: The addresses used to receive the goods ranged from private residences to commercial buildings, but the overwhelming majority had a connection to a country in southeast Asia. In some cases, the private addresses turned out to be the address at which the Asian country’s corporations were headquartered (on paper, at least). In others, the commercial addresses had southeast Asian reshippers operating at the address. And in one particularly odd case, there was a private residence with a southeast Asian restaurant across the street. Shell corporations? Fronts for illicit business? Legitimate businesses and residences coerced into helping a local crime gang? Who knows — but probably some of all of the above.
- They were trying to steal the strangest things: Across grocery and delivery companies, the most sought-after goods in this attack were fruits and vegetables, followed by snack bars, ice cream bars, dishwasher tablets, and diapers. In retrospect, this makes sense — it’s the physical goods equivalent of card testing. They didn’t want to burn the bridge on stores they planned to attack seriously in the holidays, so they tested goods and stores where that wouldn’t be a concern. We suspect they also used any successful thefts to contribute to their larders while setting up the mule and shipping operation in the USA. Fraud is hungry work.
- They experimented: There were lots of low-dollar orders, some mid-range value orders, and smaller numbers of high-value orders. They tried different stores, different states, and different addresses. Not all this information would directly apply to other industries once they shifted across, but much of it is. And it’s all good practice for the fraudsters running the attacks.
- They disappeared: From the analysts’ perspective at Forter, this is what happened. The Manipulators decided in the fall that it was too difficult to keep attacking, so they went away. We didn’t realize the significance of this at the time as all fraudsters do this eventually; it’s a simple ROI calculation. Fraudsters want maximum value for minimum effort. With the Manipulators, though, it was a sign of their extraordinarily streamlined attack. Retailers saw this play out in the holidays; they’d attack to the precise degree necessary to get past a merchant’s defenses but not invest any extra effort beyond that. When a new block was put in their way, they’d do just enough to get around it — until it became too difficult, when they’d move on.
In short, many signs of what would become a high-scale attack were all there in its infancy. So what does this have to teach us about the future of online fraud attacks from this group or other rings?
The Significance of the Test Attack
- Address manipulation: If you’re still relying on traditional methods of address manipulation like AVS, you need to reassess and ensure your systems are hardened against attacks designed to bypass exactly these tools (typically by avoiding using numbers in the address fields).
- Time to upgrade traditional tools: The Master Manipulators were patient and clever. They worked out which merchants would be tripped up by their address trickery and doubled down on their attacks against those merchants. It was addresses this time; it’ll be something else next time. Use the time early in the year to review your tools and systems, and make sure you’re not overly reliant on traditional and well-known methods like this. If they’re well-known to the fraud prevention community, the fraudsters know them too. It’s time for a refresh.
- Go layered: The Master Manipulators succeeded during the holidays partly because their attack had so many layers. Guest checkout doesn’t work? Try ATO. Is this address no good? Try this one. Can’t change the shipping address inside an account? Call customer service. And so on. Your fraud protection needs to be layered in the same way. Think like a fraudster to catch a fraudster.
- Assume attacks can come at scale: Triangulation wasn’t a form of fraud I’d spent much time worrying about until now. I appreciated the elegance of the format, but it always seemed naturally limited in scale due to the amount of work involved to make it run smoothly. The Master Manipulators have shown us that anything can scale. If the speculation about them using victims of human trafficking to achieve this scale is accurate, there’s a nasty truth behind the method. What fraud fighters need to understand is that it can apply to any fraud attack, technique, and scam.
- Don’t get complacent in the summer: There used to be quiet times of the year (though when these are depends on your industry.) Now, you have to assume that all year is a fraud fest from the fraudster’s perspective. Track attacks and zero in on their identifying details. If the southeast Asian element of the Manipulators’ attack had been widely known from the summer onwards, that would have been a helpful hint in identifying suspicious orders when the attack scaled up. Assume the ring attacking today might be huge tomorrow, and investigate them accordingly. I’m exceptionally grateful we did that with the southeast Asian fraud ring in the summer — otherwise, we’d have been hit by the Manipulators in the holidays, too.
- Make sure you’re benefitting from a 360 view of fraud attacks: Across businesses, industries, and geographies. The Manipulators banked on the fact that they could start small in certain industries and that this wouldn’t prevent them from hitting other industries successfully using the lessons they’d learned. They were wrong about this with Forter, as it turned out, which is why from our perspective, the southeast Asian group from August disappeared, and we never saw the Manipulators in the holidays. Whether you tap into a platform with a large network of diverse companies, invest in regular discussion groups with peers in the industry, or join a messaging group of peers sharing details of the latest attacks — you have to be able to see the big picture, or you won’t be able to protect yourself.
It’s been fascinating putting the pieces together to connect the southeast Asian ring from August to the Master Manipulators that drove fraud fighters crazy in the holidays. Looking back, I can see that all the pieces were already in place and that all the Manipulators needed was practice. After their holiday successes, I hope they’ve moved on to new challenges far away from online fraud. If not, we’ll keep our guard up, just in case.
Forter is the Trust Platform for digital commerce. We make accurate, instant assessments of trustworthiness across every step of the buying journey. Our ability to isolate fraud and protect consumers is why Nordstrom, Sephora, Instacart, Adobe, Priceline, and other leaders across industries have trusted us to process more than $500 billion in transactions. Click here to learn more.