Account takeover attacks are a severe threat to any company that offers logins, accounts, and password resets. They are also common among consumer online stores and e-commerce platforms.
Hackers often acquire stolen user credentials through leaked lists published on the dark web following data breaches. They then use them to log into accounts and tamper with their contents.
What is an account takeover attack?
Account takeover (ATO) attacks occur when a criminal gains unauthorized access to a user account. Once the attacker has access, they use it to commit various types of fraud. This can include sending wire transfers to fraudulent accounts, buying products or services, redeeming rewards points, and more. These attacks can also cause damage to a company’s reputation and customer trust.
In the United States, losses from ATO attacks total over $10 billion annually. Fraudsters use stolen credentials to gain several benefits, including making wire transfers and taking over corporate accounts to steal confidential information.
ATO fraudsters typically acquire a list of credentials from the dark web or through data breaches, social engineering, or phishing attacks. Then, they launch bots that target travel, retail, finance, eCommerce, and other websites to test usernames and password combinations on these accounts until they find valid ones. Then, they sell these verified credentials on the black market for a profit.
Any account can fall into the hands of bad actors. But some industries are more susceptible to account takeover fraud than others. For example, the hospitality industry is a common target for fraudsters, who exploit hacked accounts to make fraudulent hotel reservations and steal customer data. Additionally, the sports industry is a popular target for criminals who seek to exploit athlete negotiation figures, medical records, and strategy documents.
How does an account takeover attack work?
Account takeover attacks are a massive problem for companies that use online logins, especially those with valuable data. When criminals gain access to an account, they often change the login credentials, locking out the original owner. This is known as a password reset attack. Criminals can do this manually by typing in each username and password, or they can do it automatically using bots that test many login combinations.
The most common way cybercriminals acquire account credentials is through phishing. But they can also get them from other hacking techniques, such as credential stuffing, where hackers test different combinations of usernames and passwords until they find one that works. They can also get them through malware such as keylogging or man-in-the-middle attacks, where attackers intercept unencrypted traffic to read sensitive information such as login details.
Cybercriminals then use stolen account details in a variety of ways. These include taking over e-commerce accounts to make fraudulent purchases or breaking into online banking and credit card accounts to steal money. They can also sell accounts on the dark web to other criminals for a fee.
As digital transformation pushes all industries online, virtually every industry is now a target for account takeover attacks. But hospitality and healthcare are the most popular targets because of their high value of user information. Fraudsters can seal rewards balances, order goods and services they didn’t purchase, and even use medical records to gain access to insurance funds for fraudulent procedures.
What is the risk of an account takeover attack?
Even if a company has strong passwords, 2-factor authentication, and the latest antivirus software, it’s still vulnerable to account takeover attacks. Employees don’t always follow security best practices, whether using company equipment for personal use or logging in to work from home or public Wi-Fi networks.
In addition, companies may overlook suspicious activity such as sudden changes to email addresses, unusual access locations (e.g., new countries), and proliferation of accounts with the exact shared details. An excellent way to mitigate this risk is to implement a program that double-checks user login credentials against a database of leaked passwords and a list of known attack vectors.
There are a few reasons hackers want to get into user accounts in the first place. Some account takeover attacks are a stopover in more extensive phishing campaigns; others are used to sell validated credentials on the dark web, which can fetch significant money. In some cases, criminals leverage stolen credentials to hijack real credit cards, shopping, or government benefit accounts and then make fraudulent transactions on their own or through a partner network. This type of fraud is often more lucrative than the average phishing campaign, and it’s why it’s the primary target of many cybercriminals. It’s also why it’s harder to detect than other forms of identity theft.
What are the consequences of an account takeover attack?
The consequences of an account takeover attack vary depending on the attacker’s goals and resources. ATO attacks can cause phishing, credential stuffing, and other types of fraud that can drain your business’s bank accounts and damage customer trust.
Using stolen credentials, criminals can perpetrate identity theft: applying for lines of credit in the victim’s name, committing insurance fraud, stealing rewards points, and more. In addition, personal information can be used in spoofing campaigns to make phishing and spam emails more believable.
Any business that uses online logins to access its website or app is vulnerable to an account takeover attack. Banks, healthcare organizations, government agencies, and other companies with user accounts and stored data online. While specific industries are more susceptible to this attack, anyone with a login can be a target.
Despite the many ways criminals can commit account takeover attacks, there are several preventive measures to reduce their impact. These include implementing a bot detection solution that understands and detects behavior anomalies. The solution should analyze IP addresses, device versions, device behavior, typical user paths, and keyboard and mouse behaviors to identify and stop a threat before it can do any damage. It should also use custom enforcement challenges designed to thwart human cybercriminals by providing incrementally more complex visual tasks that wear them out and sap their resources.