The Phases of Account Takeover Attacks and How To Stop Them

Based on article originally published in Forbes

Account Takeover (ATO) isn't a singular attack, but the culmination of an integrated set of cyberattacks. At the heart of an ATO is an account and the value therein. To capture that value, attackers traverse an entire web attack lifecycle that goes from stealing credentials to validating them, to using them to take over accounts, to committing post-login fraud and then doing it all over again. Understanding this lifecycle will help you detect and defend against these attacks more efficiently. 

Phase 1: Theft

An ATO starts with stealing credentials via data breaches, PII harvesting, malware or phishing.

After stealing credentials, hackers often sell them to other cybercriminals for use in future attacks. There are billions of credentials for sale on the dark web—more than 24 billion according to one study. And research results show that 66% of people reuse passwords across multiple accounts. So, when a certain site is hacked, the stolen credentials would not only jeopardize the accounts on that site, but they’d likely also work on other sites as well.

Phase 2: Validation

Validating the stolen credentials is the next step. Attackers use bots to attempt thousands or millions of logins across hundreds or thousands of websites. If the bot is able to log into the account, the stolen username and password pair can be resold for a higher profit. There’s a full market on the dark web offering validated accounts for different prices, ranging from a few dollars to several tens of dollars per validated account if it’s on a coveted website.

Phase 3: Fraudulent Use

This is the heart of the attack and where the attackers typically extract the value. Modern applications allow users to store a lot of value, including credit and debit card numbers, gift card balances, loyalty points, airline miles and other digital currency. If a fraudster gains access to an account, they can steal that value by making fraudulent purchases or credit transfers. 

But it doesn’t end there. There are many ways to steal value from different applications after taking over an account.

  • Commit warranty fraud: Fraudsters can look back at recent orders in e-commerce accounts, call customer support complaining that their package wasn’t delivered or that it's faulty and ask it to be resent to a different address. 
  • Submit fake credit applications: Attackers can use the information stored in financial accounts to take out fake loans and lines of credit.
  • Post fake reviews: Hackers can also post fake reviews to promote or damage products.
  • Funnel money: Attackers can create fake accounts on marketplace apps offering services or products. They can then drain funds from the original account using many small transactions that are below the threshold for typical fraud detection. Because these transactions remain in the marketplace, they're less likely to draw attention from fraud systems that track when users cash out. 
  • Distribute malware: Hacked accounts can be used to distribute spam or use in-platform messaging to distribute malware. This enables the attacker to steal even more personal information and begin the ATO and web attack life cycle all over again.


How to Stop Account Takeover Attacks

In order to prevent ATO attacks, website owners must address every phase of the attack lifecycle. Here are a few steps you can take:

  • Secure your database. Leaky forms, vulnerable third-party code and broken access control increase your risk of having sensitive user data fall into the wrong hands. Adopt a code mitigation solution to continuously evaluate the behavior of all client-side scripts.
  • Enable behavior-based bot management. By analyzing all user behaviors, bot management solutions spot small anomalies in real time. Taking a behavior-based approach allows you to identify sophisticated attacks that might otherwise go undetected. 
  • Go beyond blocking bots. Many website owners look only for bots or common fraud signals to prevent ATO attacks. This is critical and necessary, but it isn’t enough to prevent human ATO fraud.
  • Don’t give a free pass to authenticated users. Authentication is an important barrier for protecting an account, but just because a user is authenticated doesn't mean that they are legitimate. Cybercriminals could use valid stolen credentials to log into an account.
  • Continually evaluate user behavior. Monitor users’ actions post-login to identify suspicious activities within an account. By looking for signals of abuse and anomalous behavior patterns, you can proactively identify fraud and stop it in real time.

HUMAN account takeover defense provides online fraud detection that safeguards accounts throughout users' entire digital journey. Our solutions detect and mitigate sophisticated bot attacks, client-side threats, and post-login account abuse.