See Spec's Customer
Journey Security Platform

Want to see how Spec locks down the cracks fraudsters and bots have been
exploiting for years? In this self-guided tour, discover key features that fraud fighters love.

You're one step away from
touring Spec!

Take a Platform Tour
See Pricing (Coming Soon)
Get a Demo
Back
Nate Kharrl
Co-Founder & CEO
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Sign up to receive regular fraud industry insights from leading experts in the space.

#23: AI Agents Bypass Detection, Exposed GitHub Data Leaking Through Copilot, Tap-to-Phone Merchant Fraud

We’ve got plenty to dig into. AI-powered browsing agents are making fraud detection harder, a GitHub leak may be exposing fraud defenses, and Tap-to-Phone is redefining merchant fraud risks. Let’s dive in.

NATE'S TAKE - MARCH 4, 2025

Top Three This Week

  1. AI Agents Are Reshaping the Fraud Landscape—Here’s How
  2. Thousands of Exposed GitHub Repositories Are Still Leaking Data Through Copilot
  3. What Does Tap-to-Phone Expansion Mean for Merchant Fraud?

1. AI Agents Are Reshaping the Fraud Landscape—Here’s How

ai-agent

Fraudsters are increasingly layering AI browsing agents into their attack scripts, making it easier to navigate login flows, complete transactions, and bypass step-up challenges—all while appearing eerily human.

I shared on my LinkedIn last week that a group of Estonian developers recently released a cloud-based tool that lets users automate web browsing with AI agents for just $30/month. While marketed as a productivity tool, its capabilities make it a goldmine for fraudsters, who can use it to:

  • Complete guest checkouts at scale
  • Bypass CAPTCHAs and fraud detection tied to device signals
  • Automate registration flows and account takeovers

The project is open-source with over 34,000 stars on GitHub, meaning attackers can customize and scale fraud operations faster than ever. AI-powered bots aren’t just scraping content anymore—they’re acting like real users, making it harder for traditional fraud models to detect them.

At Spec, we’ve been tracking and stopping AI agent misuse using Journey Data, which allows us to spot behavioral patterns that reveal when AI agents are in play. Fraud teams need to adapt—real humans aren’t the only ones navigating the web anymore.

2. Thousands of Exposed GitHub Repositories Are Still Leaking Data Through Copilot

microsoft-copilot

A major security lapse has surfaced: Thousands of GitHub repositories that were made private are still accessible through Microsoft’s Copilot AI, exposing API keys, sensitive endpoints, and internal workflows.

For fraud fighters, the concern isn’t just leaked credentials—it’s attackers using this data to manipulate fraud models. If bad actors gain access to API keys that interact with fraud vendors, they could:

  • Inject junk data into fraud detection models, reducing accuracy
  • Reverse-engineer security workflows to find weaknesses
  • Exploit misconfigurations in internal fraud prevention tools

This isn’t just about exposed secrets—it’s about attackers gaining insight into how fraud defenses operate and using that knowledge to evade detection.

GitHub has since patched the issue, but if any fraud vendor APIs or internal security tools were exposed, they may already be compromised. Now is the time for fraud teams to audit API security, review internal endpoint usage, and ensure models haven’t been poisoned with bad data.

3. What Does Tap-to-Phone Expansion Mean for Merchant Fraud?

tap-to-phone

The rise of Tap-to-Phone technology is transforming commerce, allowing any mobile device to act as a payment terminal. While this expands access to digital payments, it also raises major concerns about merchant fraud.

Historically, accepting card payments required identity verification, business validation, and device-level security controls. But with Tap-to-Phone, nearly any smartphone can process payments, creating new fraud opportunities, including:

  • Fake merchants using personal devices to process stolen cards
  • Fraudsters setting up disposable "businesses" to conduct rapid chargeback fraud
  • Increased risk of device tampering and skimming

When every mobile phone becomes a POS terminal, the entire fraud risk model shifts. Card networks and payment processors will need to rethink how they verify merchants, monitor transactions, and prevent fraud at scale.

Fraud teams should prepare for new fraud vectors emerging from this shift. As Tap-to-Commerce adoption grows, the line between consumer devices and merchant systems is disappearing—and fraudsters are already looking for ways to exploit it.

Insert Sample Text
for Demo Ad
Insert sample body text here for demo
ad that can help with conversions.
Get Started

Ready to get started with Spec?

Get a demo
Nate Kharrl

Co-Founder & CEO

Nate Kharrl, CEO and co-founder at Spec, has built leading solutions for application security and fraud challenges since the early days of the cloud era. Drawing from his cyber experience at Akamai, ThreatMetrix, and eBay, Nate helped found Spec to focus on the needs of businesses operating in a landscape of increasing AI risks. Under Nate’s leadership, Spec grew from its mid-pandemic founding to raise $30M in venture-backed funding to build solutions used by Fortune 500 companies transacting billions in online commerce. Spec’s service offerings today include protective measures for websites and APIs that specialize in defending against attacks designed to bypass bot defenses and risk assessment platforms.

View all from author
Sign up to receive regular fraud industry insights from leading experts in the space.

Frequently Asked Questions

No items found.