Socure empowers governments to combat identity fraud while ensuring equitable access to public services. Our AI-driven platform delivers unparalleled accuracy in identity verification, helping
agencies stop fraudsters without compromising access for underserved populations.
Dive into Socure's resource center to access expert insights on identity verification and fraud prevention through eBooks, reports, articles, infographics, and our blog. Stay ahead with
innovative strategies from industry leaders.
Socure identified and stopped a surge in fraudulent activity targeting the retail banking and credit card operations of large financial institutions with stolen Massachusetts identities. We have strong evidence to believe that a China-based actor is behind this attack.
To date, we’ve identified over 9,100 fraudulent checking and credit applications spanning multiple financial institutions. In this post, we’ll review what we know today, provide analysis, and share what financial institutions can do to protect themselves.
What’s Happening?
There’s been a recent influx in applications from purported residents of Massachusetts who were born between 1975 and 1990. While the majority of the identity elements provided during the application process tie to a real world individual, there are consistent patterns across four key areas indicating a concerted fraud effort behind this rise. Let’s break it down.
1. Use of specific domains with gibberish email handles and no correlation to identities
The observed increase has primarily been associated with Outlook.com and Hotmail.com email addresses that are using gibberish email handles (random combinations of letters and numbers, such as a62e9bofgr@hotmail.com). Notably, we also identified a newly emerging email domain, Luuinet.com. Since its first appearance in the Socure Network on November 5, 2024, this domain has been associated with 5,500 applications, also featuring gibberish email handles and tied exclusively to Massachusetts-based identities.
Based on both authoritative data sources and Socure’s own network of over 500 million identities, we are also not finding any correlation between the identities and the email addresses that are used in these applications.
2. A spike in overnight application volume (EST)
During this rise in applications, we’re also seeing increased volumes from Massachusetts in the middle of the night (EST). Neighboring states are still exhibiting a typical drop in volume overnight. See the comparison in the charts below:
x
This overnight increase in volume strongly correlates with the increased usage of Outlook, Hotmail, and Luuinet email domains.
x
3. IP addresses from across the United States
Many of the IP addresses observed were from outside of Massachusetts. This mismatch strongly suggests the use of VPNs or proxy services. Notably, over 89% of flagged applications came from geolocations that were more than 100 miles away from the declared address.
x
4. Use of Massachusetts phone numbers with limited network activity
The applications used a constrained set of Massachusetts phone area codes, namely: 339, 351, 413, 508, 617, 774, 781, 857, and 978. However, the majority of these phone numbers were flagged for limited activity (phone numbers with no active usage for more than 90 days) or were recently reassigned — both of which are common patterns seen in fraud attempts. Just like for the emails, there are also only very few of these phone numbers for which any correlation can be found to the associated identities.
Interpreting the Attack
When analyzing an attack like this, two critical questions arise:
What enabled the attack to start?
Why are fraudsters employing these specific tactics?
First, the exclusive use of Massachusetts identities in this attack strongly suggests that a data breach is at the heart of this effort. According to state reports, over 7 million residents had their identities compromised in 2024 following a staggering 2,249 breaches in 2023.
We’ve seen at least 9,000 identities used thus far (measured as unique SSNs), with new ones appearing every day. The perpetrator(s) are also mostly using one email address and one phone number per person, instead of reusing the emails or phone numbers for multiple people.
Second, it’s clear that the perpetrator(s) are pairing stolen Massachusetts identities with Massachusetts-based phone numbers to appear more legitimate. The use of gibberish email handles indicate automated generation. These randomized email handles help them avoid creating email addresses or accounts that may already exist.
It turns out that Luuinet.com is a domain that was registered in China in 2023. If we shift the earlier view of Luuinet.com’s volume to the timezone where the domain is based, we get the following view:
x
With this view, we can see that the spikes in volume match closely to the working day hours in China. There are even drops around 12-1 p.m. and 6-7 p.m., which correspond with typical lunch and dinner breaks.
Finally, the fraudster(s) are using U.S.-based IP addresses because foreign IP addresses would look too “risky.” Knowing that the attack is happening mostly during working hours in China, it strongly suggests the use of proxies. They are also using various IP addresses to avoid getting blocked, many of which are spread across the U.S. because they likely don’t have enough proxies on hand in Massachusetts.
Moving forward: Protecting your organization with Socure
Here are a few key actions that financial institutions can take to protect themselves from an attack like this one:
Ensure that you’re on the latest Sigma ID, Sigma Synthetic, Email RiskScore, Phone RiskScores, Digital Intelligence, Sigma First Party and Graph Intelligence models
Implement detection mechanisms to look for programmatic email generation, like an email perplexity score from Socure that can detect gibberish emails.
Monitor for unusual rises in volumes from any single email domain, phone carrier, local hour of the day, or any other anomalous behaviors.
Leverage Digital Intelligence to determine proxies, VPNs, high risk networks, emulators and unusual geodesic telemetry between sessions
Socure is deeply committed to identifying and preventing all forms of fraud. Our team is continuously monitoring, analyzing, and researching emerging fraud trends to stay ahead of evolving threats. We are rapidly innovating and developing new features to enhance our AI models to detect attacks like this and protect businesses, government agencies, and consumers alike.
With the rise of generative AI, we’ve observed an increase in automated bot attacks that leverage gibberish emails — similar to those used in this incident. To combat this, Socure developed the email perplexity score, specifically designed to detect gibberish patterns. This model predicted every single one of the gibberish email attack patterns with 100% accuracy.
Our team has built a dataset of Billions of legitimate email addresses, contributed by our 2,800+ customers, across the nearly 3 Billion identities we see each year. Using a Large Language Model (LLM), we trained a model to predict whether an email was created by a human or generated by an automated script producing gibberish emails.
High perplexity scores were observed for all the email addresses used in this attack, which enabled us to flag them as gibberish. Compared to a typical, or ‘baseline’ population, this group showed a 30x increase in the use of gibberish emails.
Beyond email analysis, Socure leverages a wide variety of authoritative data sources to create industry-leading name-to-email and name-to-phone correlation scores, each utilizing more than 150+ Socure-proprietary variables. These scores are specifically designed to assess whether there is a trustworthy connection between an identity and its submitted contact methods, as well as the trustworthiness and fraud risk of that email, phone or address.
During this attack, 0% of the emails received a strong correlation score, and only 3.5% of phone numbers did. This stands in stark contrast to baseline populations, where 71% of emails and 87% of phone numbers achieve strong correlations across production traffic.
Additionally, Socure’s flagship Sigma Identity Fraud solution analyzes every aspect of an identity to assess the risk of identity theft. This solution integrates the innovations mentioned above—such as perplexity scores and correlation metrics—with over 500 additional features spanning SSNs, emails, phone numbers, addresses, IP addresses, and device and behavioral data. Every application involved in the attack was consistently assigned a high Sigma Identity Fraud risk score of 90% or above.
Fraudsters are constantly evolving their tactics, making it critical for businesses to stay ahead and prevent them from gaining the upper hand. Thanks to the rapid innovation of our expert data science team and the continuous feedback from our extensive customer network, Socure consistently delivers new models that protect businesses from new and emerging fraud patterns — all while ensuring a seamless experience for legitimate users.
Yarne Hermann is a Senior Product Manager for Socure's Sigma fraud suite. He began his career in software engineering with Socure, starting with the Sigma Device product, Socure's internal velocity feature engine, and later moved to Sigma Identity and Sigma Synthetic. Yarne holds a Master's in Computer Science from Columbia University.
