Overview of Climate Fostering ATOs

Living in an era of data privacy dystopia, having an online presence comes with the direct opportunity cost of “being pwned”. In a data black market fueled by both legitimate and illegitimate players, cybercriminals not only transact amongst themselves but also with large corporations for stolen data, along with insurance companies contributing to unofficially abet ransomware attacks as a player in the market.

As a matter of fact, the number of data breaches as well as the average cost of a data breach perpetuates. Having to self-regulate in the ever-expanding field of cybersecurity, the obscurity of privacy interpretations and awareness causes tech leaders to opt for biometrics as the primary authentication method while retiring the traditional password-based user logins, despite public satisfaction with using passwords. The misperception lies in the fact that, with opting for biometric authentication instead of passwords, users gain the ultimate blend of user experience (UX) and security. However, biometrics supported authentication methods don't always manifest as foolproof or user-friendly.

In light of the above, public trust in technological business has diminished, which is subsequently reflected upon those businesses financially. This situation is charged by the new dynamic challenges such as data access rights exploits brought by the adoption of privacy laws and regulations.

The Official Definition of ATO

"An account takeover can happen when a fraudster or computer criminal poses as a genuine customer, gains control of an account and then makes unauthorized transactions. Any account could be taken over by criminals, including bank, credit card, email, and other service providers. Online banking accounts are usually taken over as a result of phishing, spyware or malware scams. This is a form of internet crime or computer crime." - ActionFraud a service provided by City of London Police.

Key Figures Illustrating the Magnitude of Account Takeovers Currently

“Account takeover placed among the top three types of fraud reported from a whole 96% fraud attack reported by eCommerce businesses.” - MRC 2019 Global Fraud Survey

“89% of executives at financial institutions said that account takeover fraud is the most common cause of losses in their digital channels” - Aite Group

“Account takeover accounted for $4 billion in losses last year, which was slightly down from the year prior ($5.1 billion), but was up significantly when compared to data in recent years.” Javelin Strategy & Research

“The large majority of compromised accounts are in a dormant state...65% of these accounts belong to users that have not logged in for more than 90 days, and 80% of these accounts belong to users that have not logged in for more than 30 days.” - DataVisor

“29% of breaches involved use of stolen credentials.” - Verizon Data Breach Incident Report 2019

Role of Credential Stuffing in Automated ATO attacks

Criminals gather billions of login credentials via data breaches occurring in the low profile websites. With credential stuffing, they then exploit the tendency of people reusing the same password and username combination even of higher-profile websites. The repeated use of the passwords increases users’ likelihood of having their credentials already existing within the already-breached ‘combo lists’ (e.g. "Collection #1-#5"). With free services at the disposal of the criminals such as people search to gather user credentials as well as tools utilizing combo lists to automate the credential stuffing attacks, criminals can streamline the data breach, thus the account takeovers (ATO) with higher success rate.

“From January 2018 through June 2019, more than 61 billion credential stuffing attempts” — Akamai, State of the Internet

In short, combined with the user propensity of using the same password on a myriad of platforms no matter if it is high or low profile, many websites accepting email address/phone number as a valid/alternative username simplifies the attack even further for the criminal: one username with a repeatable set of passwords for all the accounts belonging to the victim.

The two main types of threat posing credential stuffing attacks are coordinated mass-scale automated threat attacks based on sophisticated techniques and targeted attacks. While preventative measures exist for the common user against the former type of attacks, it is very limited what a less tech-savvy user lacking cybersecurity awareness can do to hinder being the victim of the latter type of attacks. In spite of the fact that mass-scale automated threat attacks may usually be avoided by users enabling two-factor authentication (2FA) on their accounts, this is not as vastly adopted by users as commonly believed. Even for the services such as e-mail accounts storing data of utmost sensitivity with integrations to various other 3rd party platforms/services, 2FA is not mandated upon users. According to the reports, amongst over 1.5 billion active Gmail users, 90% do not have 2FA enabled. Even though Financial institutions (FIs) accounts are perceived as the most important type of account to secure for users based on surveys, FIs still facilitate credential stuffing attacks by not enforcing the usage of 2FA upon the account access.

Due to the continuous dilemma of keeping a safe balance between UX versus security, firms opt to serve 2FA as a recommended option rather than imposing it upon the users as a mandatory practice. However, not enforcing 2FA from the start leads into additional authentication layers (ie. static and dynamic knowledge-based questions and more), thus halts the user experience at later steps. Nevertheless, all the above-mentioned authentication controls can be bypassed by the criminals, which will be examined later on in this series.

Cybercrime as an Industry- Status Quo

Cybercrime industry, although illegitimate, still operates accordingly with the base principles of keeping any business afloat, which is to attain and preserve a positive return of investment (ROI). Thereupon with the continuous growth of the target group referred to as client pool combined with the internet users’ lack of password hygiene awareness, the cybercrime industry offers many opportunities to capitalize on, which will usher the criminals to minimize the cost for the successful attacks. As a matter of fact, this creates a tech competition between the criminals technology evangelists and entrepreneurs and the cybersecurity industry, where criminals adopt emerging technologies and develop advanced automation for the attacks and new methods/tactics to bypass security measures, while the cost of implementing and adjusting security measures against cybercrime perpetuates.

Impact of the Growth of Targeted Population on Criminal Strategies

Amongst the rising human population of 7.75 billion people, the number of internet users increased from 2.4 billion to 4.54 billion since 2014. Bearing in mind that of those 4.54 billion, 3.76 billion used mobile and web payment methods for products and services, credential stuffing attacks present a lucrative option for criminals as manifested by the pertaining data. Only within the first quarter of 2019, 281 data breaches exposing more than 4.53 billion records were recorded, while 1m usernames and passwords are reported spilled or stolen daily.

Different demographic groups of internet users manifest online behavioral patterns specific to their demographic group hence presenting distinct vulnerabilities for criminals to take advantage of Identifying the target clients via client pool segmentation based on their key weaknesses and their associated financial stats, not only not optimizes the ROI of the credential stuffing attacks for criminals (highest revenue for the effort and time invested). It would be worthwhile to note that the age-based segmentation of the client pool depicts the proclivities of the behavior patterns of millennials and seniors to the attackers.

“Criminals Steal $37 Billion a Year from America’s Elderly” - Bloomberg

In reference to the above, looking further into the general behavior patterns of different segments of the targeted population or client pool is invaluable before diving into attack techniques. According to the reports, a standard user with an average of 90 online accounts requiring passwords, repeat uses the same passwords 4-6 times. When required to update, 68% of the users only tweak their previous password slightly, besides the majority of users still rely on their memory to remember their passwords. On the other end of the spectrum, securing the account credentials using password managers also does possess certain vulnerabilities, creating a single point of compromise.

Criminals predominantly use automation for credential stuffing by the means of tools known as bad bots, hence avoiding manual work that requires the usage of evasive stealth methods to evade innovative iterations of preventive and detective controls used by organizations to protect assets. Bots are software programs operating online to perform repetitive tasks. While constituting 20.4% of the total website traffic, only 21.1% of them are categorized to be the sophisticated type also known as All-in-One (AIO) applications. Notable tools used by criminals are “SNIPR” ($20), STORM, MailRanger, SentryMBA. Although the market competition amongst hackers provokes other hackers to reverse-engineer the existing tools to optimize the flaws and release the cracked or pirated versions back into the market. We should bear in mind that even legitimate tools are utilized by criminals as “access checkers” such as OpenBullet. Such tools are renowned with their strong support community using uploaded configuration files programmed to generate sequenced API calls and/or automate browsing process using script languages (e.g. PhantomJS, trifleJS and others) with the usage of browser emulation libraries (Puppeteer, Selenium, etc) or just with the use of tools (e.g browser automation studio).

Criminal Adoption of Innovation

Despite the abundance of community support for traditional, manual and arduous attack techniques found for a range of prices offered in web forums hosted on bulletproof servers that are resilient to being shut down, criminals consistently endeavor to maximize the capabilities of the latest automation techniques with the growing community support on contemporary, detection resilient instant messaging groups (i.e. “Dark Work’') or even on legitimate freelancer and mechanical turks platforms. Supplemented by infamously recognized collaboration and information-sharing amongst criminals, the adoption of the latest automated techniques has been ousting the aforementioned laborious human tasks while adding further layers of sophistication for superior and speedier results utilizing AI-enhanced systems to elevate bad bots to beyond the level 2 automation.

Bad bots are highly sophisticated automated robots devised to function in still stealth mode and mimic behaviors via their built-in deception and evasion capabilities that help to surpass detective and preventive security controls. With the use of rotating VPN, secure VPS, RDP servers or residential, secure and other clean proxies, the location of the targeted victim can be simulated with a 5-mile precision. Furthermore, bad bots evade anti-fraud control measures with the help of a digital mask containing not only unique behaviors of the victim (e.g. tap touchscreen frequency) and browsing patterns (e.g. screentime or fields of user interest) but also the victim’s device fingerprint (e.g device ID, OS version) using doppelgangers.

The development of the above countermeasures to evade bot detection controls like Google’s reCaptcha and other traditional controls that once required human involvement verifies the advantageous nature of such advanced bots for credential stuffing attacks. Even the case of the bot maxing out the number of login attempts, triggering a lock-out challenge/condition or generating suspicious activity causing account lockout can pose a revenue stream for the criminals. Receiving notifications at their back-office once an account is locked out enables the criminals to initiate the second and third layers of ATO attacks immediately. Usually, swiftly after the failure of the second layer attacks (e.g abuse recovery options), the third layer of attacks commence by sending the victim's account details to a pseudo support center (will be examined deeper in a separate article) to pseudo “alert” the victim of the locked out account. This is conducted to escort the victim to give remote access to his/her account, to unlock the account or even to share the details received in an email or SMS to reset their passwords per request, hence resulting in an ATO. As a matter of fact, criminals manage to turn the tables in their favor in spite of the roadblocks they encounter.

Criminal Leveraging of Alert Fatigue

More than half of global corporations are estimated neither ready nor prepared to handle a large scale cyber attack, lacking highly skilled cybersecurity staff let alone a cybersecurity lead; ergo creating the circumstances for the illegitimate cybercrime industry to flourish by legitimate players in the market.

Based on internet traffic, bad bots can be considered the permanent residents of the digital world with just one step away from being official dominant digital citizens. While for detection avoidance, the bad bots are developed to stay in stealth mode during credential stuffing attacks by replicating any good red team operation, being empowered with AI automation capabilities equips them with the art of storytelling as has been observed lately in automated breach and attack simulation (BAS) solutions.

With the deception created by storytelling, bad bots’ activity may be perceived as “white noise” and tagged as false positive alerts amongst 50% of the reported alerts, non-priority alert or under scoped incidents from the overwhelming 25K daily events that can last for several days on average by SecOps analysts. Bearing in mind the daily average of 20 alerts each with the duration of 20 mins for analysts to investigate as well as the limited training of 20 hours annually they receive, analysts’ wasting over half of their day looking for problems that are either insignificant or not really problems at all is inevitable. Akin to the domino effect, the waste of resources impairs the KPIs and eventually benefits criminals.

“50,000 Unique IP Addresses Make Credential Stuffing Attempts on Daily Basis” — Auth0

“Using 14 days of data, we observed 21,962,978 login attempts; of those, 33% (7,379,074) represented failed logins.” - Akamai

Cashing-in on an ATO

Cunningly mimicking the victims’ footprints and the patterns in their account while avoiding having the security and fraud safeguards invoked in a successful credential stuffing attack, criminals amass critical account information that they can opt to consume in different ways for ATO. They could be the sole owner of the account to impede other criminals’ accessibility by changing the victim's credentials; ergo locking the victim out of his own account. Nonetheless, by keeping the credentials as is, the criminal may lurk as the temporary co-owner of the account, while familiarizing himself with the victim via DSR exploits (later can be sold), preparing a reliable pretext for a strike. At the end of the nesting period, in other words, once the account is "mature" enough with proper gathered authorizations and verifications to make high-risk actions from the owner of the account, the criminal exploits those information by increasing the victims’ credit card limits or extending their credit line, taking unsecured loans and making wire transfers and ACH payments. Nevertheless, with the nesting period of co-ownership of the account comes the risks of being targeted by the rival criminals, hence the risk of losing the ATO all together with the time and resources invested. Last but not least is the utilization of the ATO to act as a mule account for different purposes, such as money drop to serve as a redirector/bouncing account that gets the account holder for up to 20% commission. The commission charges change if the money mule is managed by a money herder to attract more drops. And of course, there is also the option in some cases to hold the account as ransom or just sell the account credentials (aka “log”) with full collected information of the victim (aka fullz).

“The bank usernames and passwords are not as important as the fullz and here is why. With a bank username and password by itself you can’t do very much, but with fullz records you can CREATE NEW bank usernames and passwords that will match whatever IP/Browser Agent you are using. So think of the fullz as the master key to fraud...With all this info you can do each transfers of 10k or more, open brand new 15,000 USD and up credit cards, open up fresh bank accounts for quick internal transfers, and way more...” — Cybercriminal explaining

ATO Pricing and Selling

Prior to monetizing an ATO, deep evaluation of the account characteristics i.e account balance, victim’s age, confirmed payments, victim’s financial history such as credit score and other aggregated transaction information is conducted by the criminals to determine the overall worth of the account. With the development and adoption of predictive algorithms (e.g criminal FICO) and social credit algorithms, the breadth of such elements is vast and inestimable, ergo making the account pricing complex and tricky. Because the account credentials are packaged with equally complex to price digital doppelgangers and required proxies associated with the given account credentials. Therefore, considering the diversity of the types of accounts (loyalty and rewards, OTT, digital intangibles, financial accounts, etc) and their idiosyncratic characteristics, it is crucial for the criminals to meticulously calculate the tag price of the accounts.

Selling credentials can be done in a variety of ways. One, which often requires a commissioned escrow service (e.g. middleman services), is transacting with a broker who provides credentials on-demand or as a subscription service. Thereupon the broker provides his fellow criminal subscribers with updated credential combo lists regularly for a periodic fee. Having the escrow as an intermediary, not only ensures the security of the money transfer between the criminals but also the functionality of the provided credentials. Furthermore, they also provide additional services like sorting information that was dumped to 'drop-zones' by information-stealing malware to fetch the relevant credentials and verifying the quality of data prior to the transactions with brokers.

Additionally, platforms like Telegram as well as dedicated “Account Shop” marketplaces with professional customer service providing quality assurance against defective batches for a commission of 10-15% of the asking price serve as facilitators for the criminals. Another option is selling via the digital intangible storefronts i.e Shoppy, Selly, Deer.io for a minimal monthly cost of $11. Some storefront platforms can even be embedded directly within the very visible surface web forums (e.g. RaidForums, Ogusers, Cracked) with very easy to use payment gateways and integrated crypto-wallets using privacy coins (e.g. Monero), BTC or other payments processors (e.g. PayPal and others).

“Many accounts compromised via credential stuffing will sell for as little as $3.25 USD. These accounts come with a warranty: If the credentials don’t work once sold, they can be replaced at no cost” — Akamai, 2019

Cashing-out

In order to cash out the funds deposited into criminals’ drop accounts, criminals need to be equipped with the understanding of regional and international legal, regulatory and operational measures set to combat money laundering and other related threats. For instance, with the introduction of the PATRIOT Act, compliance with the AML/KYC regulations has been extended beyond the institutions to standard citizens consuming financial services. It serves as the de facto counterproductive measure as the personal KYC data can be traded and used for identity theft in event of a breach. Despite the prior existence of KYC/AML regulations, attacks on U.S. soil gave the government a pretext to implement the PATRIOT act. Terrorism funding was the underlying reason that the governments track the trail of money was moving throughout the world.

In spite of the meticulousness, if criminals follow the static restrictions(i.e avoiding transactions above $10,000), they still bear the possibility of being issued a suspicious activity report (SAR) to challenge the cashing out process. Criminals, and especially organized cyber-gangs, have the resources and specialists with acute comprehension of the payments infrastructure to devise a vigilant cashing out strategy to avoid any hindrances that may tamper with the withdrawal.

Supplementary Services for ATOs

Having the end to end process of credentials stuffing and the cashing out expounded, it is noteworthy to cover the additional capabilities of bad bots supplementing cybercrime business especially when the gathered accounts are “burned”, prompting the criminals to shift to “plan B”. Due to the imperativeness of manual time-consuming efforts to reopen accounts and reload the content, criminals need to have in advance groundwork made to swiftly shift to ‘plan B’ without raising any security flags.

Prior to opening a new account, criminals need to have the synthetic identities (aka Frankenstein IDs and ghost profiles) and digital twins backed with original data assembled in addition to the forged hard and soft documents to satisfy KYC and/or identity-proofing processes to establish the legitimacy of the pseudo account. Nonetheless, successful account creation is only the preliminary stage for the criminals as subsequently they need to initiate the process of ‘aging’ the account. “Aging'' an account refers to creating a sense of maturity of an active account by usually creating false transactions and activity, while mimicking human behavioral patterns to avert being flagged for potential fraud. Such preparations usually require relatively complex automation techniques as in some cases criminals will need to create other providers’ accounts even to get a new VCC (virtual credit card) or accounts in neobanks just for account validation and verification purposes. It is noteworthy to mention that, there exists a multitude of supplementary, complementary services (proxies, accounts, and servers) as well as facilitators providing special services to aid the criminals, specifically for creating synthetic business accounts to establish a presence (i.e website, forms of payment, and mail drops).

The hacker who allegedly cracks PayPal accounts says that while he’s been banned “quite a few times,” he’s able to boot up his storefront with a temporary email address and a new username in “five minutes.” — Luke Winkie

In a constantly growing industry of bad bots, the scale of operations of bad bots extends beyond ATOs and validity checks of those accounts to providing on-demand services, sales bolstering, post review improvement services and many other types of ad-fraud (forecasted size of $29 billion by 2021). Moreover, the bad bot centers enable a solid proxy ground for account setup, management, and control of those in different platforms for mass scams like scalping and copping while creating a barricade against shutdowns.

Of the industries with a major prevalence of mass adoption of credential stuffing powered bad bot services are travel, retail, entertainment industry, and social media. For criminal monetization in social media, criminals strive to compromise high-profile accounts of “legitimized” influencers, officials and celebrities and thought leaders through ‘wetware’ exploitation to inflate the price of cryptocurrencies; amplification pump and dump stock schemes, cognitive mind hacks, trust-trading scams, promotion copycat and fake apps or crafted phishing links enabling mass ATO.

An auxiliary income stream of bots for criminals is observed in the publicly consumed on-demand service industry. With public seeking to enhance the sense authenticity via social proofing (including social verification and validation) of their sockpuppet, impostor, cyborg, “doubleswitched” accounts as well as influencer accounts (costing an estimate of $1.3 billion), the demand for service providers of undetectable toxic user-generated content (UGC), fabricated followers, likes, reviews, and comments are in ascent. These activities originated by the account control centers (i.e troll farms and click farms utilizing physical devices and device emulators) depict the pervasiveness of the use of bad bots as a service. Last but not least, it is worth mentioning the presence of such offerings extending beyond online to public places with an example of automated vending machines selling Instagram and Vkontakte likes and followers (50 rubles / ±$0.9 per 100 likes).

“Facebook has been lying to the public about the scale of its problem with fake accounts, which likely exceed 50% of its network.” — PlainSite Report

“Spending 300 EUR, we bought 3,530 comments, 25,750 likes, 20,000 views, and 5,100 followers” - NATO

Cross Accounts ATOs

Rising adoption of delegated authentication services (e.g. “Log in with Twitter”) by businesses to provide the users with smoother authentication experience without the registration hurdle also serves as a facilitator for credential stuffing, ergo benefits criminals. Bearing in mind the user tendency of interlinking different platform accounts (e.g.cross platform login), once the criminal attains the ATO of one the interlinked accounts, cross-ATO of the remaining accounts through the compromised one becomes straightforward. This phenomenon presents a greater threat with the perpetually rising adoption of “all accounts in one place” aggregators using different connection methods, assistant applications, and open banking through third-party trusted companies (e.g. Fintechs with disparate customer data protection approaches that lack the stringent standards and regulations banks are subjected to), hence widening the attack surface for the criminals. Therefore, criminals are presented with an open playground to conduct sophisticated, second layer credential stuffing attacks such as, via a compromised account in the main superapp which facilitates accessibility to integrated third-party service applications (e.g in-app web-apps and mini-programs).

The increasing prevalence of daily platforms such as gaming, social, and communication apps with integrated third party services prompts criminals to seek novel attack techniques. Considering “everything commerce” revenue diversification strategies companies lead hinging on proliferation of digital channels, new business opportunities without thorough consideration of the ease of users’ digital engagement and adoption of yet unified omnichannel real-time authentication approach all of their cross-channel logins, pose a persistent lucrative avenue for criminals.

It is noteworthy to mention the continuous studies creating smarter credential stuffing attacks, one of which is on credential tweaking attack with a success rate of 16% of ATOs in less than 1000 guesses using deep learning techniques.

Conclusion and Recommendations

Having discussed the end-to-end process of automated ATO attacks in a thriving industry of cybercrime, as well as the repercussions of the attacks on businesses and public, we should consider the below measures to address the issue;

It is crucial to tailor user authentication experience as a continuous process with fit-for-purpose authentication factors to combat ATO attacks. Therefore, to provide the clients with the ultimate frictionless experience throughout the user journeys, we should comprehend the pros and cons of different structures and how to combine the 3 types of MFAs in a continuous, adaptive and rotative authentication process. Optimizing the MFA structure requires a focus on prioritizing UX, while minimizing the security risks; adopting a structure fit for the respective business flows and requirements. Therefore, it is essential to avoid akin MFA processes of other resembling businesses, imposed use of existing or common (eg. biometrics authentication) MFA solutions and default/assumption based authentication methods; as they not only pose cost ineffective but also lead into higher abandonment rates with users struggling to pass the authentication challenges. While bearing in mind the pitfalls of the MFA methods, when adapted vigilantly per business needs and users profiles, it presents a barrier against robotic and manual attacks; rendering robots disoriented in their attempts to adopt the authentication structure and presenting a time-consuming challenge for the attackers. However, one cannot say it is a foolproof obstruction against automated and targeted ATO attacks, considering the sophisticated detection evasion techniques some employ. This necessitates us to adopt a proactive approach (e.g task-driven threat hunting) and establish collaboration amongst UI/UX developers, software engineers, and pentesters; which will remediate the aforementioned cybersecurity skill shortage as a secondary outcome. Moreover, we need to adopt deception techniques e.g using previously used user credentials as honeytokens and distributing honey identities rather than highly relying on non-human-session hindering solutions, lockout policies, and CAPTCHA type controls which are overall futile endeavors but also can give a false sense of security and be counterproductive. The detrimental nature of such controls can be observed in the efficacy of the lockout policies where users are locked out of their accounts after several login attempts. Prompting the users to go self-service unlock procedures both redundantly burdens the SecOp analysts, diverting them from tackling what is crucial (alert fatigue conundrum) and increasing the staff overhead for the business, as well as detering the user and enabling criminals.

Fundamentally, the favoritism towards the controversial “assume breach” mentality with “when, not if” attitude to avert cyberattacks may obscure the focus on what is crucial to protect for us. Alternatively, we should be cognizant of the potential gaps and threats through data-driven scrutinization of our existing deployed point solutions to effectively mitigate those gaps and threats, while avoiding solely “gut feeling” oriented decision making. In order to devise believable attack models and realistic views of our risk posture, embracing a high-value threat data and intelligence-driven decision making, tailored for specific business objectives is essential. Combined with a focused investment approach to implement enhanced interconnection across the security layers, we would acquire a bespoke understanding of what and why to prioritize, thus addressing the root causes of the threats.

As discussed in the article, one of the most critical catalysts of the automated ATO attacks is the users’ tendency of repeating passwords on different platform accounts. In order to grant them the proper cybersecurity awareness, it is the liability of the technology companies towards the public to avoid bias in their published statements, surveys, and research reports. Implausible and deceptive statements such as “multi-factor authentication blocks 99.9% of account hacks” have been diminishing the public trust as the perils of such are revealed. Likewise, encouraging the use of password managers, without creating awareness on the trade-offs of using one, impairs the public confidence. Hence, it is essential to acquaint the public with the awareness to secure their high-value accounts with sufficiently complex and unique passwords (e.g. refraining from walking passwords) rather than password managers as well as the awareness to monitor their accounts’ breach status by using lookup services. On the other hand, tech companies should adopt a standard of password requirement policies to contribute to public awareness.

Authors: Tal Eliyahu (@Eliyahu_Tal_) and Begum Calguner (@BCalguner).

Disclaimer: Please note that the views and opinions expressed in this article are solely my own and do not express the views or opinions of my employer.