Account takeover fraud (ATO) is definitely not the new kid on the block. Establishments whose business model is centered around financial transactions, such as online retailers or banks, have been dealing with it for over a decade.
Unfortunately, this doesn’t mean that its appeal has died down over the years. In fact, account takeover fraud is more popular than ever. Recent account takeover statistics have shown an increase of nearly 300% since 2019 in ATO cases that have cost companies and consumers alike a whopping $16.9 billion in damages.
In the following lines, I will take you through the basics of account takeover fraud prevention. So, if you want to know not only how ATO works, but also how you can protect your business from it, keep on reading.
What is Account Takeover Fraud?
Account Takeover Definition
To define account takeover fraud, it is essential to first discuss the concept of identity theft. According to Investopedia,
Identity theft is the crime of obtaining the personal or financial information of another person to use their identity to commit fraud, such as making unauthorized transactions or purchases. Identity theft is committed in many different ways and the end result is that victims are typically left with damage to their credit, finances, and reputation.
In the case of an account takeover, cybercriminals gain unlawful access to the financial or e-commerce login credentials of a user, generally through means of a bot attack. This results in one or multiple fraudulent transactions being carried out. Excessive billing may occur before the victim even notices they have been targeted by an ATO.
Keeping this in mind, it can be concluded that account takeover fraud is the Web-based variant of identity theft. Therefore, the practices of identity theft and account takeover go hand in hand.
Account Takeover Methods
Cybercriminals commit account takeover fraud by exploiting vulnerabilities in individual user accounts, as well as networks as a whole. Hackers have a variety of approaches under their belt for this, some more creative than others.
Nevertheless, the five most frequently used account takeover methods are malware replay attacks, social engineering, man-in-the-middle attacks, credential cracking, and credential stuffing, both of which I have explained in the subsections below. For more information on each topic, you can always check out the articles linked in their respective sections from the Heimdal blog. My colleagues already did a great job of explaining them in great detail there, so I’ll just go through the basics.
Malware Replay Attacks
Malware is a hacker-favorite when it comes to account takeover fraud attempts. Once your devices are infected, cybercriminals can either use the worm itself to steal login credentials or go the replay attack route.
During a replay attack, attackers seize HTTP data sent from your network to a financial institution, then manipulate it in their favor and retransmit it. Fortunately, there are a few warning signs that your network has been infected with malware. Some of the most frequent ones are:
- reduced system performance,
- suspicious increases in traffic,
- unfamiliar error messages,
- strange emails delivered from your account,
- and unusual ads or pop-ups.
Social Engineering
Another widespread fraud tactic preferred by hackers, social engineering relies on human psychology to deceive users into disclosing personal information. Impersonating contacts, masquerading as trusted institutions, mimicking partner branding, or creating a relationship with ulterior motives are just a few of the popular practices in this category.
Here are a few ways to recognize if your company is being targeted by a social engineering campaign:
- unsolicited emails or text messages,
- suspicious payment or information requests,
- and untrustworthy customer support inquiries towards clients.
Man-in-the-Middle Attacks
Much like social engineering, man-in-the-middle attacks rely on a deception that is usually carried out in two potential scenarios. In one of them, cybercriminals intercept your communications with a legitimate third party, such as a bank or a supplier. You will then be redirected to a hacker-controlled domain and requested to provide login credentials or other PII.
The second possible scenario involves cybercriminals completely hijacking your session and taking actions on your behalf without previously expressed consent. This happens when your network is unsecured, or when JavaScript vulnerabilities are left open to attacks.
Your enterprise might have fallen victim to a man-in-the-middle attack if:
- customers receive fraudulent communications from you,
- IP, HTTP, DNS, or TCP anomalies appear in a session,
- latency anomalies appear in a session,
- TCP and HTTP signatures in a session do not match,
- and suspicious parallel sessions are identified.
Credential Stuffing
The illicit practice of credential stuffing consists of hackers trying to login by using stolen user names and passwords across a multitude of websites and platforms. The name stems from the method itself, which is “best described as trying to stuff [the credentials] everywhere”, as my colleague Miriam very aptly explained in her extensive article on the topic.
Do you suspect you’ve been targeted by a credential stuffing attack? Here’s how you can tell:
- fluctuating spikes in traffic,
- irregular increase of failed login tries,
- amplified number of logins,
- non-existent credentials attempting authentication,
- and an upsurge in bounce rates.
Credential Cracking
Finally, credential cracking is perhaps the oldest and most simplistic trick in this particular book, but an effective one nevertheless. It is widely used by hackers that target one specific establishment, as opposed to credential stuffing and its broader focus. Cybercriminals break your account(s) by running credentials as per the dictionary method, or through a brute force attack.
- a spike in account locks,
- an unusually high number of failed login attempts,
- and customer complaints regarding suspicious activity.
Regardless of the method that is used, account takeover as a process is not a singular event. It unfolds in six separate steps which I like to call the six IONs of ATO. These are infection, misappropriation, transaction, validation, observation, and execution. You can find them defined below.
1. Infection
Using social engineering practices such as malspam, pop-ups, and so on, bots deploy malware to infect vulnerable machines in your network.
2. Misappropriation
Criminals profit from the gap in security and steal login credentials, as well as other relevant personally identifiable information (PII).
3. Transaction
Cybercriminals sell stolen credentials on the Dark Web for a profit, or keep them and pursue fraudulent activities themselves.
4. Validation
Fraudsters validate the stolen credentials and PII to ensure that they are correct and can be used for account takeover fraud.
5. Observation
Fraudsters then monitor the activity on the compromised account(s) to choose an ideal moment to strike.
6. Execution
Hackers finally perform duplicitous account activities such as fake payments, illicit online shopping, or excessive billing for their financial gain.
Account Takeover Prevention
#1 Train Employees on Password Best Practices
As a business owner, part of your job is to not only stay up to date with the latest cybersecurity best practices but to make sure your employees are on the same page as well. At the end of the day, they are the ones in charge of their own login credentials.
Proper credentials are your company’s first line of defense in the face of account takeover fraud. Therefore, you must educate personnel on how to create and maintain a strong password. In this way, they will avoid perpetuating the most common password mistakes and thus keep your business all the safer. A strong password:
- contains both lowercase and uppercase letters,
- features alphanumeric characters,
- does not contain easy to guess PII (name, birthday, and so on),
- is changed frequently,
- but not according to a fixed schedule.
#2 Utilize a Password Management Tool
Does your staff work with several accounts on multiple platforms? Ensuring that they create a different password for each one is vital for the online safety of your assets. Needless to say, this can become difficult to handle. Nevertheless, integrating a password management tool into your organization’s workflow is a sure way to make everyone’s life easier in this regard. Popular suggestions include:
- 1Password
- LastPass
- Dashlane
- Bitwarden
- KeePass
#3 Implement Two-Factor Authentication
Two-factor authentication provides an additional layer of security when logging into an account, and can thus stop fraudsters in their tracks. As stated in its name, this preventive method implies adding a subsequent step beside the traditional username and password.
Nowadays, the most popular choice of login validation is that of a secondary device that is traditionally carried with oneself at all times, such as a smartphone or token. Popular platforms such as Google, Facebook, or Instagram use it.
However, two-factor authentication can also consist of:
- A piece of personal information, such as a PIN code or the answer to a secret security question.
- Biometric data, such as facial, vocal, or fingerprint recognition.
#4 Deploy Software Updates and Patches
Outdated, unpatched software is a huge liability for your enterprise, as it allows fraudsters to perform man-in-the-middle attacks and other hacking attempts. However, staying on top of updates can become tedious for employees, whose activity is often interrupted by their installation process. This is why most of them will press the LATER button for as long as they can.
Nevertheless, patches are crucial to the cyber-health of any system. This is why we here at Heimdal Security integrated the X-Ploit Resilience automatic software updater into our core offering of Thor Foresight Enterprise.
Antivirus is no longer enough to keep an organization’s systems secure.
Thor Foresight Enterprise
Is our next gen proactive shield that stops unknown threats
before they reach your system.
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
X-Ploit Resilience deploys system updates and patches automatically, thus closing the security gaps in your organization’s network. What is more, installations can be scheduled at the convenience of your employees, minimizing disruptions and optimizing workflows in the process.
#5 Apply DNS Filtering on All Endpoints
Regardless of how strong your company’s password game is, fraudsters can still have a field day with your financial assets if your systems are not protected at the level of the Domain Name System. In fact, most of the aforementioned account takeover fraud methods have higher chances of succeeding if the DNS is not secured.
Fortunately, this is something that can be handled by Thor Foresight Enterprise as well, courtesy of its integrated DarkLayer Guard™ and VectorN Detection DNS security and threat hunting modules. Foresight enables you to locate, prevent, and block digital dangers with its advanced endpoint traffic-filtering technology.
Additionally, the DarkLayer Guard™ module is also integrated with Heimdal’s Forseti, a solution we created to ensure your network cybersecurity at the level of the online perimeter. In this way, your company can cover all its bases and stop ATO fraudsters in their tracks before it’s too late.
Increasingly, hackers target organizations at network or DNS traffic level.
FORSETI
FORSETI IS THE ADVANCED INTRUSION PREVENTION SYSTEM THAT ALLOWS
YOU TO PREVENT, DETECT AND RESPOND TO NETWORK-BASED THREATS
- Full DNS protection and full network logging.
- Uses Machine Learning on device to infrastructure communication for a strong HIPS/HIDS and
IOA/IOC add-on to your network. - An easy way to add network threat prevention, detection and blocking.
To Sum It All Up…
A strong password is your best friend when it comes to account takeover fraud prevention. Nonetheless, backing login credentials with an efficient suite of cybersecurity solutions will take your one defenses to the next level. As cyber attackers become increasingly cunning and skilled in penetrating even the sturdiest of digital fortresses, it is your responsibility as a business owner to keep your clients and employees safe.
Has your business ever been targeted by an account takeover attempt? Do you have any thoughts on the topic? Let me know in the comment section below!