Account takeover (ATO) is a form of fraud in which cybercriminals gain unauthorized access to online personal or business accounts using stolen credentials. Once the attacker gains access to the targeted account, they can transfer funds, use stored credit cards, deplete gift cards and loyalty points, redeem airline miles, submit fraudulent credit applications, plant ransomware or other malware, steal corporate data, and perform acts of cyberterrorism.
The basis of an ATO attack is not terribly complex, but it can be very difficult to detect. Let’s break down the basic steps in taking over an unsuspecting user’s online account:
- The foundation of an ATO attack is gaining access to a large volume of user credentials. Some attackers start with a phishing campaign or hacking a network to collect usernames, passwords and other personal data. Other attackers simply buy a list of credentials on the dark web.
- Once the attacker has a list of login credentials, they test them against target sites. Most often, the attacker will try a variety of validation techniques using an army of automated bots. Automated bots make it easy for an attacker to execute brute force and credential stuffing attacks by quickly rolling through countless username and password combinations to identify valid combinations. With this automated approach, attackers can successfully crack as many as 8% of the targeted accounts.
- Once the attacker has amassed a list of validated credentials, they can profit from them by initiating malicious actions such as withdrawing funds, opening lines of credit, making purchases, or reselling the validated credentials to others for exploitation.
- Most people reuse the same credentials across many sites. So, once a valid username and password combination is identified, the attacker will likely try to scale their efforts by trying the same combination across other popular retail, travel, social media, bank, and e-commerce sites. This helps a cybercriminal increase the profitability of each validated credential.
Cybercriminals may employ a variety of techniques to gain access to the account of an unsuspecting user. If an attacker has a list of usernames for a targeted site, but not the passwords, they may employ a technique called password spraying in which they try a common default password, such as “Password1,” against a large number of usernames. The attacker uses the brute force of bot automation to systematically try the guessed password against as many usernames as possible until they find one that works.
If the attacker has a valid username and password combination for a targeted site, they may try to scale the attack to take over the user’s accounts on additional sites. This technique is called credential stuffing. Again, the attacker will employ the brute force of bot automation to quickly try the credentials across e-commerce, banking, travel and other popular websites in the hopes that some users have reused the same usernames and passwords for multiple sites.
For cybercriminals, account takeover is easy to do and very profitable. Bots continuously evolve to evade detection mechanisms, so account takeover attacks get through and website owners are none the wiser. Bots can mimic user behavior and hide inside a validated user session by running as malware on actual user devices.
As with many cyberattacks, financial services companies were the original targets for ATO as criminals attempted to access the funds in a user’s account or open lines of credit in the user’s name.
Today, any organization that maintains user accounts which can be exploited for profit is a potential target. This can include taking over e-commerce or travel accounts to make fraudulent purchases or cash in loyalty points. It can also include targeting business accounts such as email or network logins to gain a foothold for a larger data theft or ransomware attack.
Account takeover attacks can have severe consequences. These include:
- Stolen stored value/account balances (e.g. monetary balances, loyalty points, digital credits, airline miles, gift card balances)
- Illicit credit card use
- Fraudulent credit applications
- Distributing malware and phishing emails
- Theft of users’ stored PII
- Return fraud
- Stealing restricted content (e.g. product details, content behind paywall)
This can result in financial losses, damage to brand reputation and consumer trust, resource costs for remediation and recovery, and lawsuits and fines.
Even if the attacks take over a very small percentage of your user accounts, based on the value of the user account, the damage can be enormous. For example, theft of stored credit card numbers or loyalty points could easily net millions of dollars for the cybercriminal. And, end users are also negatively impacted by identity theft.
The speed and evolution of today’s attacks present significant challenges for businesses. Unfortunately, some of the most commonly used techniques aren’t enough to stop ATO.
- Web Application Firewalls: While web application firewalls (WAFs) help secure web servers, they are not as effective in detecting ATO attacks or triggering alerts. WAFs are largely bypassed and ignored by the latest, sophisticated bot attacks, but their prevalence has contributed to a false sense of security among website owners. Neither WAFs nor regular website logging have the sensitivity to be able to see patterns in the traffic and detect modern ATO attacks, so they go largely undetected.
- Homegrown Bot Management: Homegrown solutions use signatures and pre-configured rules and policies, such as volumetric-based and geo-based detection to stop bots. But, the efficacy of signature-based detection has declined rapidly over time. If you block traffic because of an unknown spike, you might also block real users. Signature-based systems also have a hard time dealing with hyper-distributed bot attacks.
- CAPTCHAs: Over time, the original CAPTCHAs have become easy to solve for bots equipped with image processing software. Some bots have a 90% success rate for solving CAPTCHAs. To counter the growing capabilities of bots, CAPTCHA services have gradually increased the difficulty of the challenges, ultimately escalating to visual processing challenges that are actually hard for humans to solve. At the same time, more challenging CAPTCHAs also go against a core user experience principle: make the user’s experience smoother, faster and better, not more disjointed, slower and worse.
HUMAN Account Takeover Defense combats account takeover attacks at every step of the user journey. The solution take a layered approach:
- Blocks logins with stolen credentials that are actively being used in real-world attacks, reducing your vulnerable attack surface
- Stops bot attacks at login, blocking automated credential stuffing and brute-forcing attacks in real time
- Detects suspicious behavior post-login and remediates breached accounts, no matter how the account was compromised
Account Takeover Defense stops ATO attacks with unparalleled accuracy. By combining proactive, real-time, and reactive detection methods, the solution protects digital organizations and their users from this growing threat.
What is Credential Stuffing? | Definition, Attack Types, & Solutions
What Does CAPTCHA Mean? | How CAPTCHAs Work
What is a Brute Force Attack? | Definitions, Types, & Prevention
What is Fake Account Creation? | How to Prevent It
How to Neutralize Compromised and Fake Accounts
What is Bot Mitigation? | 4 Types of Bots & Botnets | How to Stop Bots