Guide to Account Takeover Attacks

In this three-part blog series, we’ll look at account takeover attacks, their aftermath in the form of fraud statistics, and what you can do to identify and prevent attacks. This first blog post defines account takeover attacks, illustrates how they work, and provides several recent examples.

Definition of Account Takeover Attacks

Account takeover (ATO) is one of the threats making up the broader category of account abuse attacks. Account abuse is any type of activity that exploits accounts, such as fake account creation and account takeover. ATO is likely the fastest-growing threat on the web and occurs when someone gains unauthorized access to an online account, such as email, social media, banking, website, e-commerce, and other online services. With just a username and password, someone else can take ownership of an account.

Because it is relatively easy to break into online accounts and monetize them, websites have become the new banks for attackers, and that’s why ATO is big business for cybercriminals looking to cash in. Attackers seek to gain access to monetary information, such as credit card or bank account details, as well as garner credit card reward points, gift cards, loyalty points, airline miles, and marketplace credits from accounts that users might not monitor regularly. Also, there are many legitimate sites that will purchase consumers’ miles and points, making them particularly appealing to attack so cybercriminals can cash out. In fact, airline miles and rewards points are starting to replace cryptocurrency as the de facto payment system on the dark web where users can also purchase stolen credentials or cash out stolen points.

Because of their lucrative nature, we’ve seen account takeover increase 65% year-over-year in 2019, with mobile ATO attacks up nearly 80%. In 2017 alone, ATO attacks resulted in $5.1 billion lost.

How Does Account Takeover Happen?

There are many reasons why ATO attacks are on the rise, the most prominent being the easy availability of stolen credentials on the dark web. All attackers have to do is buy a list of credentials and launch an army of bots across multiple retail, travel, social media, and ecommerce sites to test username and password combinations. In the end, they get a list of validated credentials they can gain value from using different account abuse methods, or sell the validated credentials to others. Bad bots make it easy for malicious attackers to quickly roll through countless user-name/password combinations, which can lead to account takeover. “Blocking bots prevents automated credential stuffing and applications hacks,” according to Forrester Research.

Moreover, with the criminal ecosystem highly evolved, the barriers to entry are extremely low and it is easy for cybercriminals to get creative. For example, they can run an entire operation without having infrastructure or development capabilities: they can rent hours on a botnet, ask for any number of nodes, and provide the payload they purchased or commissioned elsewhere to run the campaign to validate accounts. The resulting information can be sold for profit, as in the example above, or used by the hacker for their own profit.

Just recently, SC Magazine UK reported that cybercriminals had created “combolists” of user-names and passwords, and were renting access to databases that combine stolen usernames, passwords, and other details.

What can attackers gain from an ATO

Many companies and their users have suffered from ATO attacks. Here are just a few examples:

• Australian retailer Woolworth’s was forced to cancel more than $1.3 million (AUS) in gift cards after it experienced a data breach that leaked details on nearly 8,000 cards to nearly 1,000 customers.
• Fitbit became embroiled in a sophisticated warranty fraud campaign when hackers used leaked email addresses and passwords from third-party sites to gain access to user accounts.

With an organized fraud ecosystem, attacks have shifted from point of sale to online, worsened by the massive growth in the relatively insecure Internet of Things. Moreover, according to Gartner, “Design weaknesses — such as unlimited authentication attempts, lack of account takeover detection and lack of protection against automated attacks — are also increasingly used to abuse the business logic in applications and APIs” and the industry research firm expects that as more data and transactions move to the cloud, ATO attacks will increase. To make matters worse, the rise of artificial intelligence further automates and streamlines the process. In fact, it is expected that AI-driven machines will initiate approximately 10% of cyberattacks as early as 2020.

If you’d like to learn more about account takeover and what you can do to prevent this type of attack, visit www.perimeterx.com/solutions-by-threat/account-takeover/