Account takeover (ATO) attacks are on the rise and are costing individuals, businesses and organizations significant financial and reputational damage that are often difficult to recover from quickly. Criminals use stolen credentials obtained by malware and social engineering to gain sensitive information, and they’re using that data also to access website and banking accounts to transfer money, execute fraudulent transactions and bring down reputations of companies.

These attacks occur, in part, because online personal information is not always secured. And because of this, fraud-as-a-service has emerged. Cybercriminals use it to target retailers, gaming organizations, financial services and any consumer-driven enterprise. The IRS has warned users about ATO tactics and continues to remind the public about the problem.

Gaining Access to Private Data

ATO attacks target people in several ways such as hacking, phishing, vishing, check fraud, credit card fraud and mortgage refinancing fraud. Once a hacker executes a successful account takeover, he or she is in a position to use sensitive information in a variety of ways. For the most, they “own” the account until the user/vendor shuts them down.

To execute an account takeover, hackers steal usernames and passwords, along with email addresses. They accomplish this through password dumps, phishing or malware.

Common ATO Targets

Most ATO attacks are financially motivated and target these areas:

E-commerce

Services which store a user’s banking information are targets. An attacker with a compromised account can transfer money from bank accounts, purchase online goods using credit card or debit card information.

Online Currency Fraud

Any online service that’s has assets that are worth real currency is a potential target. Attacks include stealing video game credits, reward programs points, discounts and other online goodies. Examples of targets include Groupon, TeamViewer and U.K.’s National Lottery.

Spam

Spam can be used on any service that allows content, direct emails and forums to disrupt service. The activity results in monetary loss due to lack of brand reputation and trust.

Phishing

Criminals assume a compromised user’s account to launch a phishing attack directed at the user’s family, friends or social media followers. The objective is to steal more credentials, financial information or access to sensitive information.

How ATOs Are Conducted on a Large Scale

ATO-based attacks use extremely large bot collectives to crack passwords that directly protect accounts on websites. These web botnets are programmed to use a variety of attack modes to see which works best. Their mission is to confuse security solutions and make it hard to distinguish the good from the bad users that are accessing websites.

Even physical biometrics (fingerprints, retinal scans) can’t guarantee safety from a sophisticated piece of malware. Avanti Markets, for example, found this out recently. The company, which provides “micro-market” kiosks to over 1.6 million customers, was hit by malware that specifically targeted fingerprint verification functionality. By using its snack vending machines, Avanti customers may have inadvertently provided sensitive personal information to perpetrators.

What Makes It Easy for ATOs?

Account takeovers take time to set up and perpetrators look for vulnerabilities by examining websites and social media outlets they can exploit. Here’s a list of things that help facilitate ATO:

Accounts with valid email addresses

Weak passwords or the same passwords which were used on multiple sites

Using the dark web to verify if a current credit card is already compromised or stolen (for example checking a public black list)

Lack of a web application firewall (WAF) which can determine good users from bad as well as classify suspected users and monitor them

How a WAF Mitigates this Risk

A WAF detects and mitigates unauthorized access by leveraging credential or device threat intelligence. Some key features of a strong WAF solution include the ability to:

Identify and block malicious requests

Determine and classify clients as human or bots

Identify maliciously injected credentials into login portals to block credential stuffing

Block brute force attacks by monitoring session level requests where large sets of credentials are automatically inserted into login pages

Enable login protection such as Google authentication, MFA, 2FA, or by specifying login urls and authentication with SMS and email

Monitor customers for leaked credentials online

Profile credential stuffing tools and watch for evolving capabilities

ATO attacks target real people and are populated with real user information. It can be prevented by organizations that process user data when they use a solution with threat intelligence and advanced mitigation capabilities. Any questions for me? Please leave me a comment.