The Queensland University Of Technology design graduate is wary of celebrating Arkose’s growth, as Gosschalk said it resulted from his customers being “under siege” from cybercrime which is more organised than ever before.
“About 80 per cent of the attack traffic we see now comes from what I call cybercrime-as-a-service businesses, which are purpose-built to make attacks,” he said.
Hardly heard from 18 months ago, Gosschalk said cybercrime-as-a-service enterprises had dramatically lowered the barriers to entry for would-be online fraudsters.
In Australia this week to visit the 200-plus staff at Arkose’s Brisbane engineering hub, Gosschalk noted how quickly fraudsters had been able to mass-email Optus customers with a false promise of financial compensation for Wednesday’s outage, and a malicious link aimed at accessing their bank account.
“Anyone off the street can now subscribe to these one-stop shops of cybercrime, where they’re buying the stolen credentials, and the bots or ransomware to exploit them. It’s immediate and it’s way up-to-date with what we are doing to fight against it.”
Fraudulent requests against Arkose’s customers had risen 121 per cent in the June quarter over the March quarter this year, and Gosschalk said new threats were emerging all the time. OpenAI, the provider of ChatGPT, has just started using Arkose to stop bots “scraping” its data, which criminals have discovered has significant resale value for use in training all sorts of machine learning models.
A major cybercrime-as-a-service which Gosschalk has seen emerge on the dark web in the past year is EvilProxy. It appears to be based in Turkey and sells “phishing kits” that allow hackers to circumvent two-factor authentication, by intercepting the codes sent to their victims’ phones.
Arkose can shut down such attacks by requiring a proprietary token to be submitted alongside a texted code. However, Gosschalk admitted it was becoming harder to detect whether a login attempt was coming from a bot, or perhaps a human in an overseas fraud farm.
“It used to be that if a bot made a million requests, there’d be something pretty obvious about those million requests – they’d have a very similar device fingerprint, or they’d all be coming from the same region or in the same language,” he said.
“Now, these cybercrime platforms will sell the bad actors things like geographic proxies, so the target still sees a huge increase in traffic but those extra million requests are blended to look almost perfectly human.”
As a result, Arkose must broaden its defences, which Gosschalk said was where the tension between marketing and cybersecurity imperatives can emerge.
The evidence is in Arkose’s work for X, formerly known as Twitter. Implemented shortly before Elon Musk bought the social media platform in 2022, Arkose is one of the few service providers to have since survived the mercurial owner’s cost-cutting.
Musk presumably views Arkose as integral to his self-proclaimed “war on bots”. Yet a search for the name of Gosschalk’s company on X brings up hundreds of tweets from users complaining about having to regain access to their accounts by completing an “Arkose challenge” – an alternative to Google’s reCAPTCHA puzzles which the Young Rich Lister claims are more bot-resistant.
“The marketing team is always going to be like ‘hey. come on in!’, the cybersecurity guys will always want to lock things down, so the executive really need to get them together to figure out a compromise,” Gosschalk said.
Arkose shares data with its customers to help them work out at what point the benefits of a more seamless experience for “good” users is outweighed by the cost of frauds perpetuated by “bad” ones.
“It’s a question that companies need to ask themselves before the bad guys answer it for them,” Gosschalk said.