What is account takeover (ATO) fraud?

Recently, there has been an increase in the number of cyber-attacks. This has been complicated by the sophistication in which the attackers use to target various businesses. With Artificial Intelligence and Machine Learning, the attacker need not be present at the attack site or do it by themselves. Automated scripts (bots) are used to conduct remote attacks while being controlled by the cybercriminal from a remote control and command center. With the behaviors like those of an actual human being, it becomes difficult to detect the bots. It gives them time to start and conduct attacks like credential stuffing, a precursor to account takeover.

What is an account takeover?

Commonly referred to as ATO, account takeover refers to a type of identity theft that cybercriminal uses a malicious bot to access various accounts that belong to a victim. Using malicious bots, malicious actors target various lucrative industries for account takeovers. Because of their stealthy nature and mimicking actual human beings, it becomes difficult to detect the account takeover attack as they behave like an authentic user. In addition, the bots may apply other techniques to ensure that the security team does not detect them. This form of attack is amongst the most profitable ones to cybercriminals. There has been a spike in the rate of account takeover attacks since 2017. In 2018, the malicious login attempts were up to 30 billion, according to a report by Akamai.

What are the industries susceptible to account takeover?

1. Social media, entertainment, and video streaming services

The aim of the attacker, when taking over these accounts, is to have unauthorized access and use the paid streaming services without spending a dime. They also sell access to such accounts for profit every month. Social media accounts are full of ripe data that cybercriminals can use for identity theft or be monetized in various ways. Netflix, DailyMotion, Spotify, Facebook are among the prime culprits of credential stuffing and account takeovers.

2. E-commerce and retail industries

This industry is among the top victims of ATO attacks because it has three things that an attacker finds lucrative; personal information, goods and services, and money. By exploiting various vulnerabilities, malicious actors can access electronic gift cards, enabling them to transfer value, get information, and spend money. Because of the value of the accounts, both monetary and information-wise, this industry suffers the highest number of account takeover attacks and credential stuffing.

3. Banking and financial services

Because of their monetary value, financial institutions are a go-to target for credential stuffing and ATO attacks. They single-handedly control trillions of dollars. Credential theft is both a pervasive and dangerous threat to financial services. By compromising India’s Cosmos financial systems, the attackers stole $13.5 million. A single actor controlling the bots or a team of people can perform an account takeover. The MoneyTaker group is suspected of having stolen millions from banks in Russia, the US, and the UK. With the help of bots and botnets, account takeover in this industry can yield a significant payday. Pension forms, payroll data, and annuities are excellent sources of credentials to use in ATO attacks.

4. Health organizations and institutions

With the increased use of connected medical devices, these institutions have been in constant attacks from account takeovers, ransomware, and credential stuffing. Besides the billing data, account takeover targets medical records that belong to various individuals that are profitable in dark web marketplaces. This data can identify potential organ donors, identity theft, and credit card fraud. The stolen health insurance details are used to get free medical treatment or dental care.

Other targets include; higher educational institutions because they are rich in data, illegally get academic certificates, or change their academic grades.

How is account takeover conducted?

1. Through credential stuffing

Credential stuffing is exploiting a person’s ability to use the username and passwords or other login credentials to access various websites and accounts. Also known as OWASP OAT-008, it is an automated threat where bots and botnets are applied. They use the credentials obtained elsewhere, like from a data breach, and test them against a website or an application’s authentication mechanisms to validate and verify them. If valid, the attacker uses the credentials to perform various attacks under account takeover, like purchase items from an e-commerce site or steal money from a banking institution. The indicators of credential stuffing include massive login attempts using different usernames and passwords from one HTTP client.

2. Brute forcing

Also referred to as credential cracking, it is another way that an attacker can perform an ATO.it is an automated threat with codename OWASP OAT-007. In this method, dictionary, brute force, and guessing attacks are applied against an application’s authentication process to arrive at valid account credentials. It may use common passwords and usernames like the default credentials. They used malicious bots in this technique because of their speed. The signs of a brute force attack include; an increase in the number of complaints related to account hijacking and a sudden spike in failed login attempts.

3. Man-In-the-Middle attacks

In MITM attacks, attackers or bots position themselves between the endpoints. It may be between the victim and the financial institution or user and health insurance website. This attack aims to intercept the communication packets, edit them, send and receive the responses without noticing. For instance, an attacker can eavesdrop on the communications between a victim’s device and the bank’s server when the victim connects the Wi-Fi by setting a malicious Wi-Fi network. These networks have innocuous names like “Enjoy Public Coffee” that lure unsuspecting victims to connect. The attacker then uses the got information to launch an ATO attack on various accounts belonging to the victim if they have used the same credentials.

Other ways include the use of malware, SIM Card Swapping, and phishing.

Take Away

As seen above, account takeover attacks can affect almost anyone. It is because many people either have a bank account, health insurance, mobile phone connectivity, or even were, at some point, students. Therefore, it is necessary to take measures not to compromise your information’s security. Ensure that you use unique passwords when you sign up for various accounts online. It will prevent an all-out attack in case one account is affected. The affected institutions should also institute measures to identify ATOs, mitigate them, and stop them before harming your information or customers. An anti-bot solution like DataDome is effective in thwarting ATO and other malicious bot activities.