Account Takeover (ATO) is an identity theft and fraud method that is used by hackers to take over a user’s credentials. These accounts are then abused and used to gain financial benefits. ATO types include phishing, social engineering, brute force attacks and credential stuffing. This blog post will explain why cyber-criminals take over accounts, detail types of account takeovers and explain what you can do to prevent them in your organization.
Why do Fraudsters Attack and Take Over Accounts?
Online thieves who are taking over accounts through scam and account abuse gain multiple benefits:
Financial Profit from Account Takeovers and Identity Theft
Cyber-criminals usually utilize users’ personal data and PII for financial benefits. The attackers access credit card information, bank accounts, e-commerce or financial accounts, and more. Then, they can transfer funds to themselves, make purchases or pose as others to request money. By 2023, online payment fraud losses from eCommerce, money transfer and banking services and airline ticketing, are expected to reach $48 billion.
Perpetrators will also sell user information online, on the dark web or even the public internet, and make a hefty profit. Prices can range from a few dollars to dozens or even more per user.
Political Profit from Account Takeovers and Identity Theft
Sometimes, account takeovers are used by individuals or groups to promote their desired political outcomes. One of the most prominent global examples of our times is “Fancy Bear”. “Fancy Bear” is a group assumed to be sponsored by the Russian government that has used account takeover techniques like phishing to influence election results and political decisions globally.
Additional account takeover benefits include wreaking havoc in systems and businesses, gaining a sense of power and control, and revenge.
4 Account Takeover and Identity Theft Methods
There are four main methods of Account Takeover:
1. Phishing Scams
Phising is a method that uses deception and deceit to gain access to user credentials. The attacker disguises itself as a distinguished and trustworthy entity through fake accounts, and tricks the victim into providing sensitive information. This includes usernames and passwords, credit card details, bank information and more.
Phishing is usually performed via an email, chat or text message. The user is asked to fill in their credentials under some excuse, often by scaring them that their information has been stolen. The message includes a deceptive link that leads to a malicious version of the real website it claims to be. The cyber victim enters their real credentials and data, straight into the hands of the attacker who uses them to their advantage.
Types of phishing include:
Mass phishing - targeted at a large number of people
Spear phishing - targeted at specific individuals or companies and is based on more personal information
Whaling - targeted at high-ranking executives
Clone phishing - which creates a nearly identical version of a real, legitimate message
Vishing and Smishing - phishing over the phone or via SMS
Catphishing - phishing by creating a fake social identity
2. Social Engineering
Social engineering is an account takeover method that uses psychological manipulation to get users to voluntarily give up their personal user details. It is based on gaining the user’s trust, and then tricking them.
Phishing is a type of social engineering. Additional types include:
Pretexting - where the user is asked to provide personal data like date of birth or addresses, supposedly to confirm her or his identity. This data is used by attackers to try and guess passwords and usernames.
Scareware - deception software like pop-up banners that frighten the user into downloading malicious software
DNS Spoofing - redirecting the browser and DNS software to a malicious website
A recent example of social engineering happened only recently, when ATOs on Bill Gates’s, Elon Musks’s and Obama’s Twitter accounts asking for money resulted in transfers to bitcoin wallets probably owned by the fraudsters.
3. Brute Force
Brute force attacks occur when perpetrators systematically submit and check a very large number of credentials and passwords with the hopes of finding a correct combination. Hackers will use automatic systems and bots like hashing algorithms to generate password lists and usernames and then automatically force their examination on the system. Out of hundreds of thousands of combinations, the success rate is often quite high: between 1%-10%.
Brute force attack types include:
Dictionary attacks - The attacker uses a list of commonly used passwords
Hybrid brute force attacks - Adding a brute force attack (additional combinations) on top of the dictionary list
Reverse brute force attacks - attempting to find a username against a common password
4. Credential Stuffing
Credential stuffing is also a type of brute force attack. However, cyber-criminals base their attacks on stolen or leaked lists of usernames and passwords.
Unfortunately, data breaches occur on a regular basis and credentials leak out regularly. While users might change their passwords after such a leak, they will probably not change them on other websites where they’ve used the same passwords. Thus, attackers lists leaked from one system to break into other, more valuable systems.
Leaked databases can be purchased online, on the dark web or the public internet. They are divided into two types:
Purchasing stolen databases in bulk - and then using bots to try them out.
Tried and tested by humans - credentials are tested one by one. Successful combinations are sold for a higher price, of $10-$30 per user.
But not all is doomed. Now that we’ve covered account take over types, let’s see how we can prevent them.
7 Account Takeover Prevention Methods
There are 7 main account takeover prevention methods to prevent identity theft.
1. Two-factor Authentication or 2FA
A confirmation method that requires two factors from the user for authentication. Factors include passwords, tokens, biometric information and location data.
While this is the safest method for companies, it is also a challenge because it creates friction and reduces conversion rates.
2. WAFs - Web Application Firewalls
A firewall for blocking, filtering and preventing attacks and malicious activities as well as the data that is leaving the system. WAFs protect the application layer and operate based on customized policies and rate limiting.
However, WAFs can be “tricked” into allowing account takeovers through “low and slow attacks” or attacks that are distributed between multiple IPs. In addition, WAFs are less effective when employees are working from home.
3. Employee Education
Human behavior is an important prevention method that should not be overlooked. Educate your employees to question emails and messages that seek their personal data, to use different passwords across different websites, and to be suspicious when they are threatened that their account has been hacked.
4. Security Questions
Some companies, like Apple, require users to answer security questions to log in, in addition to their credentials. This is an effective method but it creates high friction for the user.
5. Bot Protection
Bots that automatically identify if the user logging is a bot or not, while blocking malicious bots. When bot solutions suspect that the user is a bot they usually require the user to solve a CAPTCHA. A successful Captcha gets users a grace time to operate. However, today there are services that are able to solve captcha as a service. Also, bot mitigation is not efficient when an attack is partially performed by humans.
6. AI Detection
A method used by UEBA (User and Entity Behaviour Analytics) products, which discovers hidden patterns by using ML/AI techniques. However, this method is used by SIM tools and is unable to provide real-time protection.
7. End-to-end Customer Journey Protection
Attacks are consistently developing and evolving and attackers are becoming more sophisticated. Therefore, the best prevention approach is to proactively analyze user behaviour inside apps and systems and block compromised accounts. For example, alerting when a user is suddenly sending data outside the system, is signing in from atypical locations or is attempting to login multiple times.