What is Account Takeover?
Account takeover (ATO) is a form of fraud or identity theft in which cybercriminals gain unauthorized access to online personal or business accounts using stolen credentials. Once the attacker gains access to the targeted account, they can transfer funds, use stored credit cards, deplete gift cards and loyalty points, redeem airline miles, submit fraudulent credit applications, plant ransomware or other malware, steal corporate data and perform acts of cyberterrorism.
How Do Hackers Take Over an Account?
Cybercriminals may employ a variety of techniques to gain access to the account of an unsuspecting user. If an attacker has a list of usernames for a targeted site, but not the passwords, they may employ a technique called password spraying in which they try a common default password, such as “Password1,” against a large number of usernames. The attacker uses the brute force of bot automation to systematically try the guessed password against as many usernames as possible until they find one that works.
If the attacker has a valid username and password combination for a targeted site, they may try to scale the attack to take over the user’s accounts on additional sites. This technique is called credential stuffing. Again, the attacker will employ the brute force of bot automation to quickly try the credentials across e-commerce, banking, travel and other popular websites in the hopes that some users have reused the same usernames and passwords for multiple sites.
What is Fake Account Creation?
Fake account creation is another type of brute force attack…with a twist. Rather than using brute force trying to guess the credentials of an existing account, the attacker uses bot automation to create a large number of fake accounts using fake or stolen identities.
Who Are the Targets for Account Takeover Attacks?
As with many cyberattacks, financial services companies were the original targets for ATO as criminals attempted to access the funds in a user’s account or open lines of credit in the user’s name.
Today, any organization that maintains user accounts which can be exploited for profit is a potential target. This can include taking over e-commerce or travel accounts to make fraudulent purchases or cash in loyalty points. It can also include targeting business accounts such as email or network logins to gain a foothold for a larger data theft or ransomware attack.
How Do Account Takeover Attacks Work?
The basic steps of an ATO attack are not terribly complex, but they can be very difficult to detect. Let’s break down the basic steps in taking over an unsuspecting user’s online account:
- The foundation of an ATO attack is gaining access to a large volume of user credentials. Some attackers start with a phishing campaign or hacking a network to collect usernames, passwords and other personal data. Other attackers simply buy a list of credentials on the dark web.
- Once the attacker has a list of login credentials, they test them against target sites. Most often, the attacker will try a variety of validation techniques using an army of automated bots. Automated bots make it easy for an attacker to execute brute force and credential stuffing attacks by quickly rolling through countless username and password combinations to identify valid combinations. With this automated approach, attackers can successfully crack as many as 8% of the targeted accounts.
- Once the attacker has amassed a list of validated credentials they can profit from them by initiating malicious actions such as withdrawing funds, opening lines of credit, making purchases or by reselling the validated credentials to others for exploitation.
- Most people reuse the same credentials across many sites. So once a valid username and password combination is identified, the attacker will likely try to scale their efforts by trying the same combination across other popular retail, travel, social media, bank and e-commerce sites. This helps a cybercriminal increase the profitability of each validated credential.
ATO Attacks Are On The Rise
For cybercriminals, account takeover is easy to do and very profitable. Bots continuously evolve to evade detection mechanisms, so account takeover attacks get through and website owners are none the wiser. Bots can mimic user behavior and hide inside a validated user session by running as malware on actual user devices. Even if the attacks take over a very small percentage of your user accounts, based on the value of the user account, the damage can be enormous. For example, theft of stored credit card numbers or loyalty points could easily net millions of dollars for the cybercriminal. And, end users are also negatively impacted by identity theft. The industries most commonly targeted include e-commerce, financial services and travel and hospitality.
How are Companies Fighting ATO?
The speed and evolution of today’s attacks present significant challenges for businesses. Unfortunately, some of the most commonly used techniques aren’t enough to stop ATO.
Web Application Firewalls
While web application firewalls (WAFs) help secure web servers, they are not as effective in detecting ATO attacks or triggering alerts. WAFs are largely bypassed and ignored by the latest, sophisticated bot attacks, but their prevalence has contributed to a false sense of security among website owners. Neither WAFs nor regular website logging have the sensitivity to be able to see patterns in the traffic and detect modern ATO attacks, so they go largely undetected.
Homegrown Bot Management
Homegrown solutions use signatures and pre-configured rules and policies, such as volumetric-based and geo-based detection to stop bots. But, the efficacy of signature-based detection has declined rapidly over time. If you block traffic because of an unknown spike, you might also block real users. Signature-based systems also have a hard time dealing with hyper-distributed bot attacks.
Over time, the original CAPTCHAs have become easy to solve for bots equipped with image processing software. Some bots have a 90% success rate for solving CAPTCHAs. To counter the growing capabilities of bots, CAPTCHA services have gradually increased the difficulty of the challenges, ultimately escalating to visual processing challenges that are actually hard for humans to solve. At the same time, more challenging CAPTCHAs also go against a core user experience principle: make the user’s experience smoother, faster and better, not more disjointed, slower and worse.