Over 75 per cent of malware available on the dark web is available for under $10 and organisations must respond; urges biometric verification and authentication technology provider, iProov.
Digital identities and biometric face verification are becoming rapidly more widely adopted by organisations to ensure user-friendly security. However, as adoption has grown, so has the number of online attacks targeting these systems. In the first iProov ‘Biometric Threat Landscape 2023 Report‘ to be released, the authentication company looked to understand and explain biometric threat trends and patterns throughout 2022.
Malware is too cheap and easy to use
‘Digital injection’ attacks are one type that has quickly emerged as a danger to biometric verification systems. In these attacks, a malicious actor bypasses a camera feed to trick a system with synthetic imagery and video recordings.
Digital injection attacks occurred five times more often than persistent presentation attacks (simply showing a photo or mask to the system). The high frequency of attacks highlights both how easy it is to automate, and how readily available malware is.
Over 75 per cent of malware available on the dark web is available for under $10. With the rise of malware-as-a-service and plug-and-play kits, iProov estimates that only around three per cent of threat actors are advanced coders.
Mobile platforms also appear to have become more vulnerable in 2022. This development is thanks to the greater emergence of emulators which mimic the behaviour of mobile devices.
The iProov report reveals a 149 per cent increase in threat actors targeting mobile platforms in the second half of the year compared to the first. The report warns organisations against relying on device data for security in light of these findings.
Andrew Newell, chief scientific officer at iProov, commented on these findings. He said: “The 149 per cent increase in attacks using emulators posing as mobile devices is a good example of how attack vectors arrive and scale very quickly.
“We have seen a rapid proliferation of low-cost, easy-to-use tools that have allowed threat actors to launch advanced, scalable attacks with limited technical skill.”
The use of deepfake technology also rose in 2022. The biometric threat report found that cyberattackers are creating 3D videos to trick systems.
2022 also saw the first uses of a new type of synthetic digital attack ‘novel face swaps’. The attacks combine existing video or live streams and superimpose another identity over the original feeds in real time.
iProov saw first saw the attacks in H1 2022; with its use rising throughout the year. After emerging in the first half of 2022, novel face swaps rapidly grew by 295 per cent from H1 to H2. These attacks are incredibly challenging to detect for both active and passive verification systems.
Andrew Bud, founder and CEO of iProov, explained the need for organisations to protect themselves. Bud said: “In 2020, we warned of the emerging threat of deepfakes being digitally injected into camera feeds to impersonate an individual’s biometric verification process.
“This report proves that deepfake attacks are now a reality. Even with advanced machine-learning computer vision, systems are struggling to keep up in detecting and triaging these evolving attacks.
“Any organisation that isn’t protecting its system against these threats needs to do so urgently, especially in high-risk identity verification scenarios.”