Although the basic threat of a fraudster logging into someone else’s account using stolen credentials is nothing new, the reality of account takeover (ATO) attacks is becoming more serious.
While the experience of having one’s identity stolen can be traumatic, the financial brunt of ATO attacks is felt more by the affected companies than by the legitimate customers impersonated in the attacks. All told, digital fraud prevention company Forter has found that ATO attacks accounted for 16% of fraud-related losses as of the end of 2019.
More recently, the COVID-19 outbreak has exacerbated this threat. Not only has it increased consumers’ reliance on the internet, but it has empowered threat actors to defraud consumers, increase their hacking attempts, and carry out phishing attacks that can lay the groundwork for subsequent account takeovers.
And the harm done by ATO attacks isn’t just a matter of stolen revenue. For eCommerce companies, some of the most common methods of preventing these attacks (such as additional verification steps) can themselves dig into sales revenue by adding friction to the customer journey.
To shed light on the growing threat of account takeovers and ways to prevent them, we recently teamed up with Forter to offer a webinar and compile a report exploring the latest relevant trends that businesses and financial institutions should know about. In addition to offering recommendations on how to avoid becoming the victim of an ATO, the report and webinar provide explanations and examples of some of the most worrisome aspects of the ATO ecosystem.
Here are five particularly alarming ATO trends that we've identified:
Account takeovers are becoming more common, and their financial impact is increasingly making them a central security concern for businesses whose websites rely on user accounts.
This trend should concern these companies, but it comes as no surprise. Because the scale of eCommerce has increased in recent years, the financial incentives for hackers and fraudsters – and the financial risk for victimized companies – have likewise grown. A slew of data breaches has left vast numbers of customers at risk of being impersonated in ATO attacks. And as the sale of leaked details on the dark web continues to develop, it becomes easier for fraudsters to wreak havoc using these customers’ accounts.
Another factor contributing to the scope of the problem of account takeovers is the use of tools allowing fraudsters to check credentials on multiple systems (credential stuffing). With many people using the same email address or username and password on various platforms, these individuals face the risk that one compromised account could allow fraudsters to impersonate them on any number of other websites.
To make sense of the account takeover ecosystem, it is important to understand the role the dark web plays in the sale of stolen credentials. This diagram lays out the five stages of the process:
Diagram of the five steps that allow for account takeovers – starting with the initial breach of a site by hackers, continuing through the sale on the dark web of account details acquired during the hack, and concluding with an ATO attack in which fraudsters use the stolen account details to make money.
Gone are the days when a batch of stolen credentials simply included passwords and either usernames or email addresses. The data we at Cybersixgill gather from the dark web shows that it has become common for leaked account details to include much more detailed information, which can help fraudsters avoid detection. For example, we see that many sets of credentials sold over the dark web include the user’s language, country, IP address, and billing address, as well as information related to their credit card – details that can be used to support a fraudster’s localization efforts.
The comprehensiveness of available account details is far from the only way in which the dark web’s ability to drive ATO attacks is expanding. Today, we frequently see batches of pre-tested account credentials for sale on underground forums, so that the fraudsters who buy these credentials can be confident that they will work. Not only does this step increase the chances that a given ATO attempt will be successful, but it saves time for the fraudster – allowing them to work more efficiently.
In addition, the level of customer service shown by many threat actors looking to sell stolen account details on the dark web is now comparable to the level of service shown by legitimate online companies. The business model used by these sellers depends on positive customer reviews, and they act accordingly. For example, many of them use accepted marketing practices and offer refunds in case credentials they have sold turn out to be unusable.
Leaked credentials that could be used in ATO attacks are advertised over an underground forum on the dark web, with the seller offering a refund in case the buyer is unsatisfied.
Just as the hackers who steal account details are innovating and evolving, so are their customers – the fraudsters who buy these account details and use them to carry out account takeovers. These fraudsters know that today’s companies can quickly detect unusual account activity, and they are adjusting their practices to avoid getting caught.
In many cases, this means taking advantage of the greater level of detail available for each leaked account being sold on the dark web, such as localization data. Forter has recently seen an increase in fraudsters engaging in device spoofing using emulators – one method of avoiding setting off alarms for using a computer or smartphone different from the account owner’s actual device.
Forter has also recently seen fraudsters increasingly taking steps to hide the fact that the products they order online are being shipped to an address different from the account owner’s. In some cases, the perpetrator of an ATO will use their own shipping address but manipulate it slightly to avoid arousing suspicion. In other cases, the fraudster will leave the victim’s mailing address as is and instead directly contact the shipping company to reroute the package to a different address of the perpetrator’s choosing.
For fraudsters carrying out ATO attacks, the problem with using a credit card attached to the compromised account is that the account owner can discover and report the fraud relatively quickly and easily. In light of this risk, many cybercriminals look for alternative ways to monetize their activities.
Specifically, we are seeing many instances of paid accounts such as those on Netflix and Spotify for sale on the dark web – accounts that have intrinsic value, allowing fraudsters to monetize an attack without needing to make a purchase via credit card. We are also seeing a dramatic increase in the fraudulent use of loyalty club points, such as airline miles – an alarming trend, given that loyalty clubs are specifically designed for companies’ most valuable customers.
An ad for leaked Netflix credentials on the dark web, reflecting a strategy that allows fraudsters to monetize ATO attacks without needing to make a purchase.
Although the risk posed by account takeovers is expensive and growing, taking the right precautions can help protect both businesses and individuals.
For individuals, this is largely a matter of following general best practices for cybersecurity, including picking different credentials for accounts on different platforms. But we know that many individuals do in fact use the same credentials on multiple platforms. As a result, given that the dark web enables fraudsters to buy massive numbers of stolen credentials, even platforms that have not themselves fallen victim to a data breach can ultimately suffer from ATO attacks due to credential stuffing.
That makes rapid detection a critical element enabling businesses and financial institutions to stay safe from account takeovers. Given the growing sophistication of both the hackers who steal credentials and the fraudsters who attempt to use them for ATO attacks, managing this threat is largely a matter of using the most advanced and comprehensive digital technology for identifying and preventing fraud attempts.
For a closer look at the trends that Cybersixgill and Forter see in the realm of account takeovers, download our free report, You Are the Product: Combating the Growing Sophistication in the Stolen Credentials Marketplace.