What Are Account Takeover, Credential Stuffing and Fake Account Creation?
Account takeover (ATO) is an attack in which criminals take unauthorized ownership of online accounts using stolen usernames and passwords. Attackers typically buy a list of credentials on the dark web and launch an army of bots across popular retail, travel, social media and e-commerce sites to test username and password combinations. In the end, they get a list of validated credentials they can profit from by abusing the account or by selling the validated credentials to others.
Users don’t change passwords often, and they reuse usernames and passwords across multiple sites. Bad bots make it easy for attackers to execute credential stuffing by quickly rolling through countless username and password combinations to execute ATO. Attackers can break into login pages on websites, mobile sites and native mobile application APIs. Once attackers gain access, they can abuse the account such as by draining the loyalty points of the users.
Another type of ATO, known as fake account creation, happens when bots create new accounts that are not linked to real users. Login pages are the primary targets for fake account creation attacks. Fake accounts are leveraged for other attacks or fraudulent transactions. With advanced methods, such as malware installed as malicious browser extensions, hackers generate new accounts at scale for subsequent misuse in carding and gift card cracking attacks, warranty claims, bad reviews and denial of inventory.
How ATO Attacks Work
- Stolen credentials from data breaches are sold on the dark web
- Attackers buy a list of stolen credentials from the dark web
- Attackers leverage bots and perform credential stuffing on websites
- Validated credentials are ready for Account Takeover
- Fraudulent transactions are made on compromised Accounts
ATO Attacks Are on the Rise
For cybercriminals, ATO is easy to do and very profitable. Bots continuously evolve to evade detection mechanisms, so ATO attacks get through and website owners are none the wiser. Bots can mimic user behavior and hide inside a validated user session by running as malware on actual user devices. Even if the attacks take over a very small percentage of your user accounts, the damage can be enormous depending on the value of the user account. For example, theft of stored credit card information or loyalty points could easily exceed millions of dollars. The industries most commonly targeted include e-commerce and travel and hospitality.
How Are Companies Fighting ATO?
The speed and evolution of today’s attacks present significant challenges for businesses. Unfortunately, some of the most commonly used techniques aren’t enough to stop ATO.
Web Application Firewalls
While web application firewalls (WAFs) help secure web servers, they are not as effective in detecting ATO attacks or triggering alerts. WAFs are largely bypassed and ignored by the latest, sophisticated bot attacks, but their prevalence has contributed to a false sense of security among website owners. Neither WAFs nor regular website logging have the sensitivity to be able to see patterns in the traffic and detect modern ATO attacks, so they go largely undetected.
Homegrown Bot Management
Homegrown solutions use signatures and pre-configured rules and policies, such as volumetric-based and geo-based detection to stop bots. But, the efficacy of signature-based detection has declined rapidly over time. If you block traffic because of an unknown spike, you might also block real users. Signature-based systems also have a hard time dealing with hyper-distributed bot attacks.
Over time, the original CAPTCHAs have become easy to solve for bots equipped with image processing software. Some bots have a 90% success rate for solving CAPTCHAs. To counter the growing capabilities of bots, CAPTCHA services have gradually increased the difficulty of the challenges, ultimately escalating to visual processing challenges that are actually hard for humans to solve. At the same time, more challenging CAPTCHAs also go against a core user experience principle: make the user’s experience smoother, faster and better, not more disjointed, slower and worse.