The Gately Report: Deduce Attacking AI-Driven Identity Fraud

CF: Who out there is vulnerable and who are these bad actors focusing on?

Ari Jacoby: All consumers who have credit cards and bank accounts, and viable credit histories are vulnerable, so you’ve got to be diligent. You have to check your credit reports, your Experian or whatever you have. And it's wise to use a password manager. It's wise to put multifactor authentication (MFA) on your accounts because all of us in the transactional U.S. population … are of interest to these increasingly sophisticated fraudsters.

CF: How do you know if you’re a victim? It sounds like by the time you find out, it’s too late and the damage is done.

AJ: You're 100% right because if you're a sophisticated, organized crime actor and you've deployed an AI-driven machine to go steal, it's not like you sign up for a loan and you put someone’s name and [email protected]. Of course you wouldn't do that because then you'd be tipped off that that's a problem. So you're going to use a phony baloney email address and that kind of thing. So you have to be vigilant, and monitor your credit reports and your credit history.

That’s where a service like Deduce gets involved in stopping some of this economic violence. We see over 1.5 billion regular, ordinary, everyday transactions in America every day. So if a bad actor pretending to be you tries to get credit in your name but doesn't use your email address, Deduce is going to catch them. We know the established patterns that equate to trust and any deviation, any anomaly, anything out of the ordinary, we're going to catch them. It takes AI to beat AI, and you can't know unless you have massive data sets. There's no such thing as AI with micro data sets. You’ve got to be able to see the transacting U.S. population with a lot of recency and a lot of frequency to be able to detect that kind of strange pattern as it pertains to me or you. So that's more or less what Deduce does.

CF: When you talk about the transactions that Deduce monitors, are you talking about just your customers’ or is it bigger than that?

AJ: It's both. We obviously see a lot of customer transactions and that contributes to this strong and overarching view of what's happening across transactional America. And then we reinforce those transactions with a broad array of other transactions that we bring in from a variety of groups who send us that data so that we can use data for good and eliminate a lot of this fraudster activity.

CF: What does Deduce have to offer integration partners, OEMs and resellers?

AJ: A very significant part of our business is channel and resale. It could very well be the case that integrators become a big deal for us as well. That part of our business is growing very rapidly. We do a heck of a lot of OEMing, or what I would call white-labeling. There are many classes of companies that offer services in the identity-meets-fraud world.

There are many kinds of identity verification providers, document verification providers, behavioral biometrics companies and phone-based risk checks. There are many of these kinds of companies that want to augment their core offering with signals that will prevent AI-driven fraud. It's become such a problem that everyone wants to go to solve the problem. So we will white-label or OEM to many companies. And that's a big and fast-growing part of our business.

We also have strong resale or reseller programs that we offer. Specifically, we've gotten good at figuring out the training component for the sales team. We offer co-branded media and marketing content, and then we obviously have the ability to isolate particular deals and particular regions, or by name and who sourced the leads. We have the proper tooling around that now so we make for a good channel partner. You can't take that lightly. It sounds good in theory to have a channel program, but the execution matters the most so we are focused on being a quality channel partner, representing a quality product where sales teams are well trained, where there's terrific and dynamic customer support, and there's deal logging, all of those things and healthy economics as well with good incentives in place. And that's been a fast driver for us as well.

CF: What sort of growth are you seeing in your partner ecosystem? What’s driving that growth?

AJ: Over the last year, it's probably up 250% or more ... and that’s representative of the first half of the year. The driver is the right place at the right time. Deduce is a five-year-old company, and we've been screaming from the hilltops about AI-driven fraud. All of a sudden Sam Altman and OpenAI start to show the world the good side of the coin, what happens for you personally and professionally if you allow AI to create efficiencies, which opens the door for us to expressly describe the dark side of AI. And it seems like we have a relatable story, because when we say things like AI-driven fraud has been going on for the past couple of years, but has been misclassified, people say, "Yes, we do have a bucket of fraud and, gee, how did that happen? We don't know how we got beat, but we got beat." And I'm here to tell you it was AI-driven fraud.

So the way that matters for the channel is big companies and small companies, from your biggest resellers and integrators, down to your MSPs in the cybersecurity market or MSSPs, are saying, "My customers are asking about this, but I don't have a solution; where am I going to go get one?" There are very few companies that are competent to solve this problem. We've spent the past five years and tens of millions of dollars on the R&D to make fighting AI-driven fraud something that we'd be successful at, and now we can extend that to quality partners so that they can service their customers and earn a living doing so.

CF: Does Deduce work with MSPs and MSSPs?

AJ: Not yet. We would very much like to work with that group. Our OEM and channel partners these days are substantially larger, without naming names, some of the biggest credit bureaus, some of the biggest identity verification companies, biometrics companies, very big recognizable names. If they're offering AI-driven fraud solutions, it may very well be the case that we are underpinning them.

CF: Is the evolving threat landscape impacting your business, product and channel strategies? If so, how?

AJ: I think the evolving threat landscape is the reality of our business. There would be no Deduce if there was no AI-driven fraud. Deduce has been around longer than people have uttered the expression "AI-driven fraud." We began by stopping regular fraud for financial services companies in the new account-opening workflow. We're still focused on new account opening workflow, but it's only the past year-plus that we talk about AI-driven fraud, and we talk about a super synthetic fraud as a result of AI-driven fraud. I think the market is waking up to this reality and we're smack dab in the middle of it.

CF: What do you find most surprising and dangerous about the current threat landscape? For example, we don’t know what AI will be capable of down the road.

AJ: That statistic of an identity crime happens in this country every 22 seconds is going to be shortened to less than 22 seconds. Almost everybody you know is going to be impacted at some point by this. What's scary is we use the phrases identity crime and identity fraud, but let's call it what it is. It's economic violence. It can substantially alter the quality of life for another human being who can't get that apartment or that house that she needs to rent, or can't get credit for the tuition that her children's school needs, or can't put enough food on the table, and who doesn't have enough time in her life to spend hundreds of hours rectifying the situation. If that's not scary, I don't know what is.

CF: What can partners expect from your company in the months ahead?

AJ: I think you're going to see a lot more channel and OEM deals from Deduce specifically. We're a company that very much wants to be in the channel and OEM space, and we're very much open for business in that capacity.

In other cybersecurity news …

Dallas County, Texas, has notified individuals impacted by an October ransomware attack by the Play ransomware gang.

According to Bleeping Computer, the county is notifying over 200,000 people that the attack exposed their personal data. Play added Dallas to its extortion portal on the dark web, threatening to leak data it stole during an attack on its systems. That includes private documents from various departments.

“The county might hold information about individuals for several reasons: they could be a resident, an employee, or they might have received services from or interacted with one of our agencies (e.g., Department of Health and Human Services),” the county said in its latest update. “Additionally, the county participates in data-sharing agreements with other organizations to enhance the services we offer to our residents and the public.”

The exposed information includes Social Security numbers, dates of birth, driver’s licenses/state identification numbers; and taxpayer identification numbers. For some individuals, certain types of medical information and health insurance information may be involved.

Upon discovering the attack, the county took several actions. Those include deploying an endpoint detection and response (EDR) tool across servers and endpoints connected to its network, forced password changes for all users to grant access to its systems, and blocked ingress and egress traffic to IP addresses identified as malicious, among others. It also engaged external cybersecurity experts to investigate the nature and scope of the incident, and conduct a comprehensive investigation to determine what information was involved.

Nick Tausek, lead security automation architect at Swimlane, said ransomware attacks on state and local governments have lasting effects on victims.

Swimlane's Nick Tausek

“For this attack, in particular, it took Dallas County over eight months to notify individuals,” he said. “It is important for governments to prioritize a proactive cybersecurity approach, incorporating a comprehensive, layered defense.”

Andrew Costis, chapter lead of the adversary research team at AttackIQ, said the Play ransomware group, also known as Playcrypt, has targeted a wide range of businesses and critical infrastructure in North and South America, and Europe since its discovery in June 2022. Play employs a double-extortion model, encrypting systems after exfiltrating data and informing victims to contact the threat actors via email. 

“Dallas has faced multiple cybersecurity incidents over the past year by various ransomware groups,” he said. “While the proactive security measures that Dallas County has implemented are a good start, it is important to continuously validate the effectiveness of their security program performance. This stands as a reminder for other local governments across the country to do the same. Using the known tactics, techniques and procedures (TTPs) from Play, security teams can assess their security posture, and validate detection and prevention methods against a playbook similar to those of many threat groups.”

Malwarebytes is warning of a new malvertising campaign that poses a threat to the channel, specifically MSPs.

The new malvertising campaign is aimed at IT staff, specifically computers running .rdp, TeamViewer, Anydesk, VMC, LogMeIn and PuTTY. The malware only deploys and sets the stage for ransomware if the computer has these programs installed.

The channel, specifically MSPs, need to know about this as they often have these programs to manage their customers' environments.

Malwarebytes details the threat in a blog. 

Jérôme Segura, Malwarebytes' senior director of threat intelligence, said IT staff at MSPs typically use network monitoring tools as part of their daily job – it's their access point to help navigate the technology and cyber issues of their customers.

Malwarebytes' Jérôme Segura

“However, I discovered a unique malvertising scheme this week specifically targeting people in these roles,” he said. “Threat actors are poisoning Google ads with sponsored search results that look legitimate even to the trained eye. Instead of leading to the needed solution, they redirect to decoy pages that host malicious payloads disguised exactly as well-known network admin tools. MSPs need to be on the lookout for threats like this and make sure they source software downloads from trusted locations only.”  

Malwarebytes is warning of a new malvertising campaign that poses a threat to the channel, specifically MSPs.

The new malvertising campaign is aimed at IT staff, specifically computers running .rdp, TeamViewer, Anydesk, VMC, LogMeIn and PuTTY. The malware only deploys and sets the stage for ransomware if the computer has these programs installed.

The channel, specifically MSPs, need to know about this as they often have these programs to manage their customers' environments.

Malwarebytes details the threat in a blog. 

Jérôme Segura, Malwarebytes' senior director of threat intelligence, said IT staff at MSPs typically use network monitoring tools as part of their daily job – it's their access point to help navigate the technology and cyber issues of their customers.

Malwarebytes' Jérôme Segura

“However, I discovered a unique malvertising scheme this week specifically targeting people in these roles,” he said. “Threat actors are poisoning Google ads with sponsored search results that look legitimate even to the trained eye. Instead of leading to the needed solution, they redirect to decoy pages that host malicious payloads disguised exactly as well-known network admin tools. MSPs need to be on the lookout for threats like this and make sure they source software downloads from trusted locations only.”