Account takeover (ATO) attacks have become one of the largest challenges for fraud and security teams today. And it’s because of the economics more than anything else: these attacks cost very little to carry out, they have a high success rate, and there are a variety of means to monetize successful account takeovers. But before we can dig into how these attacks got so common and how businesses can prevent and mitigate their impacts, we should define what these attacks look like and how they happen.
What does it mean to be a victim of an ATO attack?
Account takeover attacks happen when existing user accounts are compromised by cybercriminals, typically through credential stuffing or credential cracking. These activities can run at scale using sophisticated bots, often through compromised residential machines.
In layman’s terms - if your account on one web service or another has been “hacked”, you’re probably the victim of an ATO attack. A cybercriminal was able to use a credential stuffing or cracking operation to break into your account and wreak havoc. While sophisticated bots are the easiest way for a criminal to scale up ATO operations, they may focus their attention instead on manually targeting high-value individuals, like corporate executives or politicians.
A credential stuffing attack is when attackers use stolen account credentials gathered from malware-infected machines or obtained from large data breaches. These stolen credentials (generally email addresses and passwords) are then tested against web applications (like your bank account login) to identify vulnerable accounts. Since many internet users reuse passwords, attackers have high success rates and are able to consistently profit from credential stuffing attacks by performing fraudulent transactions, stealing personally identifiable information (PII), reselling accounts, or posting fake content and reviews (manipulating online platforms, eroding trust).
Credential stuffing attacks are one of the reasons your IT department keeps telling you to change your password every 90 days or to use a password manager.
If you’ve ever heard the phrase “brute force” associated with breaking into someone’s account, this is what they mean. Criminals will have a collection of partial login credentials (like email addresses or usernames) and they will set up a bot to simply generate and try passwords at high volume and high speed until they find a combination that works. That combo is then recorded and used elsewhere on the web to try for other accounts.
Credential cracking is much less efficient than credential stuffing, but has the advantage of not relying on stolen or leaked credentials to break into accounts.
How it happens
Attackers typically leverage three main capabilities to carry out account takeover attacks:
1. CAPTCHA bypass tools: CAPTCHAs are seemingly everywhere now. While they have evolved and have become effective at identifying simple bots, they often cannot identify sophisticated bots that are built to get into the web apps you use on a daily basis. Many websites and applications still rely on CAPTCHA as the primary layer of defense against bots.
There are numerous CAPTCHA bypass tools available on the web, some of which are free and most of which are relatively inexpensive. Some of these services actually employ humans to solve the CAPTCHA on behalf of the user, while others use algorithms to populate the answer automatically. Many of these CAPTCHA bypass tools have become very effective, enabling criminals to skip past one line of defense.
2. Automation & web testing tools: There are many tools that allow attackers to automate login requests, a key component to a credential stuffing attack. These range from Selenium—an open source automation and testing tool—to tools for sale on the dark web, including Sentry MBA, SNIPR, Vertex, STORM, and Black Bullet.
3. Sophisticated botnets & compromised devices: Today, botnets operate like a SaaS that can be rented on demand. This means attackers can gain access to millions of machines in order to scale up their efforts and attempt to log into websites and applications from many different IP addresses around the globe. This makes it hard for fraud and security teams to pinpoint any single transaction as fraudulent.
4. Fraud as a service: The White Ops Satori Threat Intelligence and Research Team recently published an investigation into a particular threat actor who used a vulnerability in a particular router to harvest IP addresses. Those addresses were then packaged with stolen credentials, helping other criminals bypass a geography check on logins by matching the credentials with IP addresses in the same area. Similar actors and vulnerabilities are likely out there.
Why it happens
There are a number of reasons why ATO attacks are common, but they really boil down to one, key reason: they can make a criminal a lot of money quickly. Criminals need only spend a few hundred dollars to buy stolen credentials, purchase an automated login tool, and rent a botnet. After that, it’s essentially just a matter of turning them on.
Once the elements of crime are operational, these criminals can monetize the accounts they break into in a number of ways:
- Conducting fraudulent transactions
- Stealing and reselling personally identifiable information (PII)
- Reselling the account on the dark web
- “Megabreaches” mean exposed credentials are readily available: criminals can easily purchase account credentials for cheap. In the first 9 months of 2019, there were nearly 8 billion records exposed.
- Multi-factor authentication adoption is still low: according to 451 Research, only 51% of enterprises have adopted MFA since compromising user experience remains a large concern. This low adoption rate, in turn, leads to higher success rates for attackers conducting account takeover attacks.
- Rampant password reuse: Google researchers found that 74% of users re-use their password after their accounts have been compromised. This means that once a criminal gets hold of a password, there’s almost a 3 in 4 chance that they’ll be able to login as long as there is an account associated with that password.
- CAPTCHA easily bypassed: As mentioned above, CAPTCHA bypass tools are cheap and readily available. Many of these tools claim success rates from 80-99%.
Mitigating account takeover risks
There are many steps developers, fraud, and security professionals can take to protect their businesses from account takeover attacks.
- Encourage (or require) customers and employees to use multifactor authentication (MFA): While some platforms see MFA as another friction point that reduces user engagement, this is arguably the most important step to take to reduce the likelihood and impact of these attacks. Still, multifactor authentication can still be vulnerable to SIM-swapping and man-in-the-browser type of attacks.
- Look for anomalous behavior: Do your customer logins only come from certain regions or countries? Do they tend to happen at certain times? Are there certain actions customers take to tend after logging in? Many companies have built internal models to score logins for anomalous behavior. However, since bots can mimic human behavior and attributes, anomalistic analysis alone cannot identify account takeover attacks, but they certainly help.
- Detect bot and automated traffic: Adding bot detection capabilities is a crucial measure to mitigating the impact of account takeover attacks. Since these attacks happen so quickly because of automation, protecting against them manually is usually a fool’s errand. Having capabilities to detect and enforce policies against bot traffic in real time will help businesses drastically reduce the risk of account takeover attacks.
To learn how our approach is different, get a complimentary copy of the Enterprise Strategy Group’s Solution Showcase: Securing Applications from Sophisticated Bot Attacks with White Ops.