Account Takeover: The Attacker Mindset

Account takeover – what, where and how much it hurts

We look at the background to Account takeover (ATO) what motivates the attackers and what you can do to protect your estate from unwanted intruders.

Account Takeover (ATO) refers to third party unauthorised access to a user’s account. This will typically be a criminal intending to use the account to extract value somehow, that might be directly in terms of money, products and services, or more indirect to gain access to the user’s bank or more high-value accounts.

This might have primarily involved social engineering, classic hacking even in the past, but the most popular technique now is credential stuffing. This is where stolen emails, ids and passwords are used in automated tools to find out which have been reused across platforms.

Previously, cracking techniques were simply flooding an account with lots of common passwords. However, this is as simple to defeat as a fail2ban type system where repeated failed logins take exponentially longer, and/or the account is locked.

Nearly all modern systems will not allow multiple failed password failures without taking action. So, the attackers have moved onto re-using stolen credentials from other sites, such as the data breaches at LinkedIn or Yahoo and assuming those users will have re-used the same credentials elsewhere. This is called credential stuffing and is based on the premise that users “re-use” their passwords across systems.

Research shows cybercriminals are correct to make this assumption as between 0.5% and 2% of credentials – depending on who you talk to – have been found to be typically reused, with an up to 8% success for more targeted breaches. This is still a small percentage, but out of the 3 billion credentials compromised in the Yahoo breach, for instance, it can easily be seen that this will amount to a lot of accounts taken over for criminal purposes.

The attackers motivation

So what sort of accounts are ATO attackers and fraudsters interested in?

A wide range from social media, forum logins, generally low value but can be re-used by spammers to evade detection and to promote phishing or other links to sell products. These can also be used in ad fraud, having a set of automated users who are logged into legitimate sites loading fraudulent adverts can make criminals significant money. The phenomenon of “fake news” is also a focus here, where criminals will take over low value legitimate social media accounts and use them to push a political agenda. Usually linked again to money-making endeavours, maybe selling merchandise for the cause they are illegitimately pushing.

But the high-value accounts will obviously be those with access to real purchasing power which can be used to fraudulently purchase goods and services, ideally for low-level criminals with the ability to buy on a line of credit with no credit cards involved. In that mix is also access to gift cards and loyalty cards, these can be much easier to launder as tracking of these is not anywhere near as widespread as tracking of real money purchases.

Theft of loyalty points & vouchers, while deemed as “free money” to some extent, will still result in a loss to the business both monetary and reputational. One of the highest value accounts to compromise will be an email account as a user will typically validate multiple other accounts through their primary email account. This might give access to many retail, social media accounts as well as giving attackers a very useful vector to social engineer that users friends and family by pretending to be them or by taking over their identity. Resale of all these accounts on the dark web occurs when people “validate” a set of generic credentials work against a particular retailer, bank etc.

They will then package these up for resale, with generic credentials costing in the range of $100 for a million ids. Validated credentials against a target website would number in the 100s at most and sell for many times more depending on the type of account – email accounts, and financial accounts being particularly valued.

Hackers vs. fraudsters

Often attackers will not use the data they harvest themselves. They will distribute a credential stuffing account takeover attack over hundreds, thousands of IPs to not be seen. Gather those that are successful, only one failed login per account will be seen, one successful one and they have a hit. They then have a set of validated credentials to sell on.

These fraudsters are in competition with each other, so you would think one of the first things they will do is reset the password to lock out any other attackers who try to play the same set of compromised credentials on this target. But that is often a tell, the real customer is notified, and the website may have processes that make it harder for attackers to stay hidden. So, this is then a resource they can sell on the so-called “dark web”, but it has a very limited shelf life. Criminal networks will buy a set of compromised email accounts, retail accounts, loyalty card accounts using a cryptocurrency and then the original hacker will have no more interaction with the account.

The criminal gang buying the small set of accounts won’t want the person they bought them from re-selling them or being able to get into them, so they need to move quickly. This may be an automated process, and therefore detectable using bot protection tools, but more likely it will at this point become a real user activity. People on real browsers, logging in and accessing the accounts to assess their worth and exploit or drain them. It is therefore very hard at this point to detect the usage is not legitimate, most account takeover protection solutions rely on being able to detect automated traffic using JavaScript sensors rather than purely behavioural detection.

When the criminal gangs have the distilled list of compromised accounts it may be too late to stop them using traditional techniques. Therefore, you see some high-profile websites attacked by account takeover tell their customers to reset passwords globally. Drastic action is required once you’ve detected a successful account takeover has occurred on your system, but the more information you can gather (Accounts compromised, and how) then the better the response can be.

Why should you be worried? Costs – direct and indirect

Industry figures show a 300% increase in ATO attacks this year, the tools to mount an attack are becoming mainstream such as Sentry MBA or STORM. This means as soon as there is a data loss that is leaked on the “dark web”, there will be multiple fraudsters, multiple groups in a race to exploit those across known target websites but also pressure to find new attack vectors.

If you’ve not experienced a serious account takeover attack, but have a login, provide a function to customers that fraudsters can exploit, then there is a high likelihood you will be targeted at some point. It is more a question of when not if.

These attacks result in a direct loss to the company, but even more important, a reputational loss can be significant. There have been high profile media coverage of compromised data from Ticketmaster, accounts and data hacked from LinkedIn and victims such as the National Lottery having to warn all customers to reset their passwords. This is very damaging to a brand, especially if the primary channel is online, loss of confidence in the security of data will drive customers away. Not to mention with GDPR the potential for lots of customer complaints to the Information Commission and the possibility of high fines if appropriate measures to protect private data were not taken.

To give a personal example of how these attacks result in more losses than the direct account takeover losses, I recently had to return a Fitbit device. Fitbit has had a high profile ATO attack where the aim of the fraudsters was to exploit their return under warranty and get access to devices to resell for profit.

My return came some months after this attack, but the new process was so labyrinthine and extended that I complained about it publicly on social media. Fitbit to their credit gave me a £60 voucher in compensation. A more indirect cost to them because of the ATO, but I was without my Fitbit watch for a month and now think rather poorly of them and may not buy another device from them, which is, even more, cost they won’t be able to measure easily. This is directly linked to their need to lock down what was a seamless and good customer experience (returns) in the aftermath of an attack, resulting in customer complaints and more losses, months later.

To see how our behavioural engine can pick up account takeover attempts and prevent them before they happen, please see our blog on how we’ve stopped ATO in the wild.

If you would like to learn more about our approach, sign up for a trial, where you can access the Netacea Account Takeover and Bot Management dashboard and test it on your live site.