Account takeover (ATO) attacks are on the rise. According to a Kaspersky Fraud Prevention report, one in two fraudulent transactions in the financial industry during 2020 was an ATO. Sift, a payment protection company, found that ATOs increased by 307% between Q2 2019 and Q2 2021.
How It Works
As its name implies, an account takeover attack occurs when a threat actor gains access to an account using stolen credentials. Once the threat actor has access, there is no limit to what they can do. This can include transferring funds to their own accounts, stealing corporate data, using loyalty points, planting ransomware, or buying merchandise with stored credit cards.
These attacks typically begin with a phishing email and a spoofed site. Victims are asked to log in to their accounts. Once they enter the information, the user is reassured that there is no problem with their account. At that point, the hacker has all the information they need to access the account.
Once the hacker confirms that the username and password are valid, they leverage that information and apply it to multiple sites. Considering that 72% of people reuse the same password on multiple accounts, the odds are high that the hacker will be able to access and take over additional accounts.
Some hackers even work from lists of stolen usernames. Using a technique called password spraying, they try generic passwords on all of the usernames until they find a username/password combination that works. Using an automated bot, attackers are able to cycle through thousands of usernames at a time. When a username/password combination is discovered, bots apply those credentials to high-value sites across the internet.
For system administrators, recognizing that a user account has been taken over is difficult. Threat actors enter the site normally, using registered usernames and passwords. However, there are some telltale signs that indicate an ATO has taken place. Read on.
Multiple Accounts, Same Information
When threat actors take over an account, they need to change details within the account to ensure that the original account owner doesn’t take it back and block them out. This usually means changing the email address or phone number associated with the account.
Threat actors run into the same issue as all users. They don’t have multiple phone numbers or email addresses at their disposal and using different credentials for each account they take over would be difficult to manage. Instead, they use the same phone number or email address on multiple accounts that they have taken over.
For system administrators, noticing multiple accounts that changed their email address or phone number to the same number is a red flag that an ATO has taken place.
Account Behavioral Changes
Review customer activity for changes in their account behavior. Increased transactions or transactions that are larger than normal are worth looking into. So are transactions that come from a new location, different IP address, or device.
When irregularities like these appear in customer accounts, review their account information, looking for changes in shipping address or other details that have been recently changed. If the data has changed, it may be an ATO indicator.
When threat actors take over an account, they follow a pretty consistent behavioral pattern. They begin by changing key account details, such as email address, home address, or phone number. Within 24-hours of those changes, they log in to the account using a different device. At that point, they place an order to their new delivery address or transfer funds to their new account.
There are multiple data points that appear within the network’s backend that indicate ATO activity. Any single point on its own may be legitimate. However, when combined with other indicators, it points to one thing: an ATO attack.
When hackers deploy bots and use credential stuffing – rapidly pairing hundreds or thousands of usernames with passwords in the hope that one of them gets through – that activity appears in website analytics. Look out for spikes in failed logins, which indicate an ATO attempt.
Once an account has been successfully taken over, the hacker’s IP address country becomes associated with the account. Accounts that have an unusual number of IP address countries may be a sign of ATO.
Devices are another indicator of ATO. When legitimate users access their accounts, the system identifies the device. Threat actors try to mask their device data through something called device spoofing. When this happens, the device appears as “unknown” in the backend. When accounts are connected to unknown devices, it indicates that an account was hacked.
The Risk to Organizations
When credentials are compromised and employee accounts are taken over, the damage can be severe. Using an employee’s login credentials, threat actors have the access they need to internal systems.
Once inside the company’s internal systems, an attacker may be able to access financial accounts and transfer funds into their own accounts. They may also gain access to sensitive data that can be exposed. However, the potential damage extends far beyond theft.
A cybercriminal with access to internal systems has the opportunity to install malware, encrypt data, or perform a ransomware attack. Any of these types of attacks can be crippling, but expensive ransom payments can bankrupt and even shut down a business.
Preventing ATO Losses
Perception Point recommends a multi-tiered approach to mitigate the risk of ATO attacks:
- Educate consumers to recognize phishing attempts
- Teach customer service the red flags to look for when engaging with a customer
- Deploy a security solution that is capable of identifying ATO indicators