How to Identify Five Account Takeover Scenarios
Discover how hackers steal user data and compromise accounts.
Increase in Online Transactions Leads to More Opportunities for Account Takeovers
Digital commerce transactions have increased by 7.7% annually since 2017 as customers purchase more products and services online.1 For banking, ecommerce, travel and insurance enterprises, more online transactions have resulted in increased revenue. To accommodate over three billion digital purchases, businesses and customers are storing more data than ever online.2
With limited fraud prevention protections in place to protect customer and business data, fraudsters have more opportunities to steal sensitive information and compromise accounts. The act of stealing sensitive information to assume control of an account is known as account takeover (ATO). Over the past few years, ATOs have increased by 31% year-over-year, threatening the financial stability and reputation of businesses.3
Successful ATOs have risen as fraudsters develop more sophisticated methods to steal account data and fraud management platforms fall further and further behind. This article examines common account takeover scenarios that banking, ecommerce, travel, and insurance enterprises experience and uncovers how security teams can identify symptoms of account takeover.
How to Diagnose Five Account Takeover Scenarios
1. Credential Stuffing
Since 2013, over 14 billion data records have been lost or stolen.4 Within stolen records lies a treasure trove of username and password information that hackers leverage to compromise accounts. Considering most people use the same password for all of their online accounts, cybercriminals can enjoy uninhibited access to a user’s accounts across digital services.
Rather than test account credentials one-by-one, hackers employ automated bot attacks and credential stuffing tools to verify the user’s login information on an online platform. This type of ATO attack is known as credential stuffing. Previously, hackers would test the credentials en masse from the same IP address or browser. In this instance, security teams were able to build rate-limiting protections to flag irregular spikes in traffic or login attempts, but such protections are no longer effective.
Cybercriminals subvert rate-limiting protections with the help of credential stuffing scripts, tools that supply proxy lists, compromised machines, and exposed servers. These techniques allow hackers to create the illusion that their login attempts are coming from different IP addresses.5 Without clear identifiers to mark an act of credential stuffing, security teams have a difficult time accurately picking out fraudsters. Common approaches to stopping these automated attacks with captcha based challenges are bypassed or resolved by readily available tool now coupled with credentials stuffing tools.
Common symptoms of credential stuffing:
- Irregular spikes in login attempts
- Irregular spikes in traffic
- Increase in failed login counts
- Increase in non-existing user names attempting to authenticate
- Spikes in perceived bounce-rates on the login page
2. Credential Cracking
While credential stuffing relies on testing thousands of credentials simultaneously across digital platforms, credential cracking occurs when a fraudster targets a person or business specifically.6 To crack an account, hackers will leverage brute force password attacks on a specific account via automated bot attacks.7
Common symptoms of credential cracking:
- High numbers of failed login attempts on a user account
- Testing different variations of account names or passwords
- Spikes in account locks
- Customer complaints about hijacked accounts
3. Malware or Replay Attacks
Malware and corresponding relay attacks present a special challenge since the consumer’s machine is compromised by the attacker. Malware is tricky to detect and even after it is detected it is difficult to prevent. The two camps of malware try either to capture consumer credentials and leak them to the attackers, or the malware will attempt to conduct what is known as a replay attack. Replay attacks capture HTTP data sent from the user to the bank, then manipulate the data and retransmit it. For example, a request to view a page can be transformed into a request for a wire transfer.
Common symptoms of malware or replay attacks:
- Customer complaints about unauthorized funds movement
- Identification of the valid User session being used to conduct unauthorized activity
- Events that do not possess unique request IDs (repeats), assuming the bank has implemented technology to detect this.
- Atypical latency in interaction for that session
- Multiple logins from different geolocations in short proximity of user login.
4. Man-in-the-Middle Attacks
Man-in-the-middle or man-in-the-browser attacks require three actors: a victim, the entity the victim is trying to contact, and a hacker. In this account takeover scenario, there are two techniques for fraudsters to steal customer data or act within a legitimate session.9 In the first situation, fraudsters intercept communications with a legitimate entity, such as a bank or insurance company, and divert the user to a page the fraudster controls. Once the user arrives on the page, the fraudster will request credentials from the victim.
Common symptoms of man-in-the-middle attacks:
- IP, DNS, TCP, HTTP anomalies in the session
- Reports of fraudulent emails or SMS sent posing as the legitimate entity [by fraudsters] to customers request MFA
- Mismatching TCP and HTTP signatures in the User session
- Parallel sessions or connections
- Anomalous latency in the user’s session
- HTTP Headers indicating ‘referrer’ containing your company from domains you don’t own
5. Social Engineering
Similar to man-in-the-middle attacks, fraudsters manipulate victims to steal their account data via social engineering.10 Hackers, pretending to be a legitimate entity send fraudulent communications to a victim and coerce the victim into giving away personal information. To uncover the victim’s login information, the fraudster will ask the customer for private information and use the information to assume control of the victim’s account.
Common symptoms of social engineering:
- Unsolicited emails or text messages from a business requesting payment information, social security numbers, or other forms of personal data
- Contacting users, under the guise of customer support, following two-factor authentication to collect a one-time use code
ATOs are expected to increase in the near future and many fraud management platforms lack the tools to prevent and detect cyber criminals. Identifying the symptoms of account takeover empowers security teams to set-up fraud prevention rules that mitigate compromised accounts. However, to prevent ATOs from increasingly sophisticated and organized groups of fraudsters, businesses must develop comprehensive security strategies that reduce manual review time, provide accurate detection of fraudulent activity in real-time, and streamline customer account access and activity.
3 Forter | Attacks and Sophistication on the Rise