Podcast

Anonymous A on the Basics of Account Takeover Fraud

In this week’s Cat & Mouse podcast, Jimmy spoke to a fraudster who specialises in account takeover attacks (ATOs). 

According to this person, we’ll call them Anonymous A, it’s simply about “getting unauthorised access to someone’s existing account.”

Let’s see how they do it and why it should matter for businesses. 

Stealing Accounts Vs Using Them

According to Anonymous O, not all account takeover fraudsters have the same skillset. Some specialise in acquiring account details, while others are better at extracting value from them.

“One of these techniques is getting the stolen login details, and the other is utilising it. So, you can do very well on one of these or even both but you can also skip one of these parts.”

So some fraudsters will only steal account login details, and others will go in and steal money or buy goods with them. Of course, others will be proficient in everything to do with ATO attacks. 

Online Stores That Save Credit Cards Are a High Target

“Most of the e-commerce sites want to optimise for conversion. They let anyone save the credit card details which I guess is all about conversion and us cybercriminals know about this.”

In short: reducing user friction can be a double-edged sword. On the one hand, you’re allowing legitimate users to go through the transaction stage quicker but you’re also essentially turning the account into a payment method – no wonder fraudsters are interested. 

Data Breaches Are a Safe Bet

So what about those fraudsters who only want to get started with the attacks? They just buy the login details.

“We all know the basics of ATO attacks, most of them are happening because of data breaches. In the email data breach, you can find a password and then you can use that password and the combination of the email address or username in an automated version, but to try to log in different sites where you have saved a specific payment instrument.”

But it’s not just a 1:1 relationship as often security details are often reused…

“The easiest way to get a password of someone is just looking into all the data breaches. There’s a high chance that someone was part of the data breach already, which means that none of their passwords got pulled and since people reuse them across different sites, there’s a high possibility to use it on a specific site or an eBay, a provider, or even on a bank account, which we can try to log into.”

ATO Phishing Experts Use Marketing Tools

A surprising insight: fraudsters who phish for personal information leverage the same tools that companies use for marketing purposes. When explaining what kind of techniques they deploy, Anonymous A explains:

“It depends a lot on what kind of domain you use, where you host your phishing page or as well as what kind of text you put in your message because you have to provide authenticity, you have to seem like an alleged site. Also you have to have the highest conversion from these emails in terms of open rate, then probably you will get a lot of links or passwords and access details on your end.”

“It’s quite similar to what you do, it’s really similar to marketing business outreach emails because we also tend to use the same kind of tools like marketing automation as a mail chain. We love to use it because they bypass the different firewalls on the popular free email service providers. “

Be Careful of Phone Number Changes

Interesting for fraud fighters: you should keep an eye on users who update their contact details. 

“What’s been really successful for me is actually setting up new phone numbers after logging in and then you just remove the original account order contact details from the account, so they don’t get access to an email.”

“Sometimes it works, sometimes it doesn’t depending on the site, but also what I tried and was really good at was actually spamming the mailbox of the victim at the same time. With this method then you have access to other services, even Telegram.”

Some Verification Steps Simply Aren’t Working

Even according to Anonymous A, some user verification methods deployed by online businesses don’t seem to make sense:

“They’re being super sensitive about what browser or device you use to access the sites and even if you use the same one, they still force you to enter a one time passcode or something like that. I don’t really understand why but I was just thinking it might be such an inconvenience for the customers to force them to enter an OTP every time to access that they should think to make it a bit more lightweight, and it might be helpful for us as process too, but the customers might be more happy.”

Deploying the Right Kind of Verification Tool

Perhaps the biggest takeaway of the interview comes towards the end of the episode when Anonymous A explains how proxies, VPNS and even Cloudflare protection comes into play to stop them from performing their attacks. 

The key is that using a simple IP analysis check isn’t enough. Similarly checking a device by itself doesn’t give enough information. You need a truly multi-layered approach to make the most of your detection set up.

You might also be interested in reading about: