Do your user accounts keep getting hacked by fraudsters? Let’s see how they did it and how you should prepare for the next account takeover attack method.
Account takeovers, or ATO attacks, are the bane of online businesses. In fact, when it comes to fraudulent attacks, they are one of the most widespread and damaging your company may have to face.
According to research from Kaspersky, more than half of all fraudulent attacks is in fact an account takeover.
One of the reasons these attacks are so common? The multitude of creative and sophisticated ways in which fraudsters can perform them.
This is why in this post we’ll break down the most common account takeover scenarios, so you can deploy the best RiskOps practices and be prepared to defend yourself against the next one.
What Are Common Signs of an Account Takeover Attack?
The best way to stop account takeover fraud is to identify them in the first place. Unfortunately, in the vast majority of cases, you’ll first hear about them after they’ve happened, via:
- Customer service.
- Users who contact your company directly.
- An increase in phishing complaints.
- Regulatory bodies regarding data protection complaints.
- Higher chargeback rates.
But to flag them before they damage your business, here is what you should be looking for:
- Connections to user accounts from new, unidentified devices.
- Suspicious user behaviour.
- Rapid updates to user accounts such as new password, new address, etc…
- Processing multiple low-value transactions.
What Happens After an ATO Attack?
Losing access to their account can have dramatic consequences for your customers. If they have any valuable store credit or card information stored within, fraudsters will steal it. The same goes for linked accounts and ID documents.
This can have damaging repercussions on your business in terms of data protection. Government bodies are increasingly implementing regulations designed to pass the blame onto companies when user data is lost or stolen.
Account takeover attacks are also part of a vicious cycle. Every time a fraudster accesses data from an account, they can resell it on the dark web. New fraudsters can try their hand with it, by reusing the passwords on other sites or using that data to phish for more information.
Last but not least, if your user accounts are regularly hacked (taken over), customers have every reason to go and see if your competitors can do any better. We’re increasingly seeing how account protection is a competitive advantage in that respect.
The Most Common Account Takeover Scenarios
Fraudsters are creative, adaptive and organised. Over the years, they have come up with dozens of techniques to exploit companies in order to take control of their user accounts. Here are some good examples of account takeover methods you should know.
Most account takeovers happen after a data breach. Huge lists of passwords, email addresses, and other login details end up on dark web marketplaces, where they are freely exchanged by fraudsters (usually bought with cryptocurrencies).
So if you’re a fraudster with a huge list of passwords, you’re going to try them all. This can be done manually, or more likely using a script (or bot). This is credential stuffing, and it may only result in a 0.1-0.2% success rate, but all it takes is one account to access all fraudsters need.
- How to protect your users from credential stuffing attacks: regularly check for your user email addresses on known data leaks (such as HaveIBeenPwned.com). Make sure they regularly change their passwords. Enabling MFA (multi-factor authentication) or OTP (one-time passwords) also helps.
Sometimes fraudsters will have part of an account’s details, but not the whole picture. Or they will target a specific person. The most common scenario is that they will have an email address, but not the password.
In that case, they’ll simply try to guess it. Credential cracking, or brute force attack, is the fancy way of calling that guesswork. Of course, they will once again rely on bots and scripts to do their bidding.
- How to protect your users from credential cracking attacks: the same measures as credential stuffing protection apply.
Password spraying also happens when fraudsters target a specific account, but in that scenario, they will simply attempt to use the most commonly found passwords. Many companies and product manufacturers still rely on default passwords such as admin, 123456, or other non-secure strings, which can make life very easy for account takeover attackers.
- How to protect your users from password spraying: You can use Troy Hunt’s Pwned Passwords2 (or if you’re a CloudFlare customer K-Anonymity) to check if a user’s credentials have been leaked before just by their email. This is useful to warn them on registration if they are about to use a leaked password, or to trigger an email verification on logins to make sure they are not a victim of an ATO.
Sometimes all it takes for fraudsters to find your account details is to ask for them. Of course, they’ll do so by pretending to be someone else. It can be:
- An SMS asking you to log into a copy of a known website.
- An email asking you for your password.
- A link to a sophisticated keylogger (software that captures your keystrokes).
- And much more…
There is no end to the creativity and lengths to which fraudsters will go to access user accounts, which only goes to show how valuable they are to them.
- How to protect your users from phishing for ATO: here again user education is key. Send regular emails to let users know they shouldn’t enter their details on suspicious sites. Ask them to double-check your website URL.
You can read more about specific kind of phishing attacks such as vishing and spearphishing in our fraud dictionary.
Social engineering is the real-life equivalent of phishing. It’s fraud done through human interactions, akin to dealing with a con person. It is the area of fraud that intersects the most with cybersecurity, as it often targets company employees and executives as well as users.
- How to protect your users from social engineering: on your side, always verify the caller’s identity so it matches the customer, and don’t just rely on knowledge-based checks. Make it clear for your users how you will contact them and in which cases, what numbers and emails you will use, etc. Set up warnings inside your service for sensitive information that should never be disclosed.
As the name suggests, man-in-the-middle attacks, often abbreviated as MITM attacks, happen when a third party intercepts data between your company and users. It’s the online equivalent of eavesdropping on a conversation and waiting for someone to reveal their passwords. It’s also closely related to espionage.
In the fraud detection and security world, these attacks are technically sophisticated and encompass a broad range of techniques, such as SSL stripping where attackers create an HTTPS connection between themselves and the server or an Evil Twin attack that mirrors legitimate WiFi access points controlled by malicious actors.
- How to protect your users from MIT attacks: this is more of a cybersecurity concern, and you should take preventive measures to ensure traffic comes to your site unaffected. Using strong encryption protocols is a great start, and MFA also helps. Once you’ve been notified of a MITM attack, you should notify your user immediately.
Multi-factor authentication and most commonly 2FA (2 Factor authentication) are a great way to prevent ATO. You confirm a user’s identity by linking their account to an extra piece of evidence, such as biometrics or a device.
Since phone verification via SMS or OTP (one time password) have become the favoured 2FA method, fraudsters had to find a way to exploit it.
Their solution: SIM-swapping, or SIM Jacking techniques, which we’ve covered since our 2019 fraud trends. In short, they contact the telecom operator and ask to transfer a number to a new SIM card they control. This lets them “own” users’ messenger apps such as Instagram, Whatsapp, and even SMS, which they can use to check verification messages.
On the bright side, telecom operators are increasingly becoming aware of the scale of the problem. Unfortunately, fraudsters are using customer service channels to take control of 2FA and OTP.
- How to protect your users from SIM Swapping attacks: you should let your users know about changes affecting their accounts. Registering a new phone number or changing an email address should be confirmed via as many channels as possible. Updated information should also be assessed for risk, such as throwaway phone numbers or email addresses from temporary providers.
For our current concern, this could be a way to log user keystrokes, which means capturing login details and passwords. As a white-hat hacker put it, a similar attack on the TikTok website “enabled me to set a new password on accounts which had used third-party apps to sign-up”.
- How to protect your users from XSS attacks: ensure user input data on your site is secure, using Allowlist values, by restricting HTML in input, or by sanitising values.
An SSRF or Server Side Request Forgery (also known as a Cross-Site Request Forgery) vulnerability is another way to mishandle user input. For instance, websites often include features that allow users to include resources from other locations, such as a profile picture loading button. The picture may come from a local file or another URL if the picture is hosted elsewhere.
If the input isn’t validated properly, an attacker could force the server to connect to an arbitrary domain of their choosing. It can give them access to data stored within the organisation, which in our current scenario, will certainly be user login credentials.
- How to protect your users from SSRF attacks: make sure your website validates every client request and that they are generated from the right server.
Other Forms of Session Hijacking
SSRF vulnerability attacks and XSS attacks are both forms of session hijacking. It is what happens when a user session is taken over by a bad agent. They essentially drop in between the victim and the website server, allowing them to perform the same actions as a user normally would (for instance logging in). Other forms of session hijacking include session fixation, session sniffing. You can read more about how to prevent session hijacking here.
Key Takeaway: A Combined Effort to Tackle ATOs
Account Takeover attack fraud prevention is a multi-step process. It involves educating your users, deploying the best data protection practices, and securing your website code. It’s a collaborative effort from both your company and customers, to ensure fraudsters, cybercriminals and attackers don’t take control of your precious accounts.
You can read more about how to protect your site from account takeover attacks here.
Learn more about our products
Florian helps tech startups and global leaders organise their thoughts, find their voices, and connect with customers worldwide.