The Phases of Account Takeover Attacks and How To Stop Them
As originally published in Forbes
For those unfamiliar with the term "account takeover" (ATO), it's a "type of cybercrime or identity theft where a malicious third-party gains access to — or 'takes over' — an online account, such as an e-mail address, bank account, or social media profile." But to fully understand it, you must recognize that an ATO isn't a singular attack.
At the heart of an ATO is an account and the value therein. To capture that value, attackers traverse an entire life cycle that goes from stealing credentials to validating them, to using them to take over accounts, to committing post-login fraud and then doing it all over again. One attack fuels another, and it’s how these attacks play off each other that fully describes an ATO. Understanding this can help you detect and defend against these attacks more efficiently.
An ATO often starts with getting stolen credentials from hacked sites or databases, sales on the dark web, phishing campaigns or other resources. The next step is testing the credentials on many different sites and applications, usually with bots. Then, it’s about taking over the account and committing fraud—making fraudulent purchases with stored credit cards, transferring gift card balances or loyalty points, submitting fake warranty claims or creating fake accounts. Often, this involves using the compromised accounts to propagate the attack and take over additional accounts.
Phase 1: Theft
It seems like we hear about a new data breach almost every day. The media is constantly reporting on new breaches, with millions of accounts being compromised and credentials being stolen from popular social media platforms, e-commerce companies, financial institutions and even the public sector and government. The attack vectors here can be PII harvesting, leaky databases, malware or social engineering, to name a few examples.
After stealing credentials, hackers might put them up for sale on the dark web for others to purchase and test. There are billions of credentials for sale on the dark web—more than 15 billion according to one study. And research results show that 66% of people reuse passwords across multiple accounts. So, when a certain site is hacked, the stolen credentials would not only jeopardize the accounts on that site, but they’d likely also work on other sites as well.
Phase 2: Validation
Validating the stolen credentials is the next step. Attackers use bots to attempt thousands or millions of logins across hundreds or thousands of websites. In my company's experience, the average success rate is usually less than a percent. This might not seem like much, but when you consider that hackers are regularly testing millions of credentials, it can translate to a lot of successful logins. Furthermore, based on my company's experience, we’ve seen attacks with a success rate of up to 8% from hackers who’ve used a highly curated list of credentials from a fairly recent data breach.
Now that the hacker has a validated credential pair, they can sell that account to another cybercriminal. There’s a full market on the dark web offering validated accounts for different prices, ranging from a few dollars to several tens of dollars per validated account if it’s on a coveted website.
Phase 3: Fraudulent Use
This is the "heart" of the attack and where the attackers typically extract the value. There are many ways to abuse an account that depend on the application. Modern applications allow users to get more value within a platform and to store a lot of value—balances on gift cards, loyalty points, airline miles and other digital currency. It’s fairly easy to cash these out because they don’t have the same level of security as, say, a credit card or debit card. And, of course, these payment card numbers are often stored in accounts, as well, if hackers want to take advantage of them.
But it doesn’t end there. There are many ways to steal value from different applications. In marketplaces, for example, attackers can create fake accounts offering services or products. They can then drain funds from the original account using many small transactions that are below the threshold for typical fraud detection. Because these transactions remain in the marketplace, they're less likely to draw attention from fraud systems that track when users cash out.
For e-commerce, fraudsters can look back at recent orders in the account, call customer support complaining that their package wasn’t delivered or that it's faulty and ask it to be resent to a different address. This is usually referred to as "warranty fraud."
Hackers can also post fake reviews to promote or damage products. And hacked accounts can be used to distribute spam or use in-platform messaging to distribute malware—enabling the attacker to steal even more personal information and begin the ATO and web attack life cycle all over again.
How To Stop ATO Attacks
First, preventing an ATO takes a shift in mindset. Many website owners generically look for bots or for fraud signals, which is a great start, but it isn’t enough. You need to understand the type of value that someone could extract from your specific application in your unique environment because that’s what hackers are after. Put a "red-team" hat on and think from an attacker’s point of view, exploring the different routes they could take to reach their goal. This process can help you be more proactive in identifying fraud and stopping it in real time by looking for signals of abuse and anomalous behavior patterns around these routes.
We also need to stop relying solely on authentication as a proxy for identity. Authentication is an important barrier for protecting an account, but just because a user is authenticated doesn't mean that the user is legitimate. Don’t give free access just based on the fact that someone is authenticated with a username and password or some federated or social login. You still need to track the behavior of the user and monitor their actions after logging in as another stopgap to prevent an ATO from attackers using breached credentials.