Account takeover is a form of identity theft and fraud. It can happen when an online fraudster poses as a genuine customer to gain control of an account and uses the account to make unauthorized transactions and other actions.
Fraudsters can take over any type of account, including credit card, bank, crypto, gaming, email, social media, food delivery, and other online providers.
By posing as a real user, the cybercriminal can alter account details, use stolen information to drain the account’s store of value, access further accounts, steal sensitive data or financial information, or send out phishing emails.
We have put together this guide to help you find out more about account takeover techniques and measures that can be taken to help protect against them.
Account takeover statistics
Account takeover attacks are not new, yet the problem continues to escalate. A report from last year has shown that the number of fraudulent login attempts increased by a massive 282 percent.
Physical product sales via ecommerce businesses saw an account takeover increase of 378 percent since COVID-19, as more users created accounts by providing credentials to shop online.
61 percent of account takeover attacks have targeted ecommerce accounts, but they have become common across many industries where access to an account has inherent value. For example, financial services, hospitality, healthcare, utilities, media, gaming, internet services, and B2B SaaS are all likely targets
How does an account takeover happen?
The growth of digital communication and data storage means that cybercriminals have several different entry points when trying to access a person’s data. Furthermore, as most people do not use robust passwords, or reuse the same credentials for many different account types, cybercriminals often do not require highly sensitive information to access an account successfully. Instead, they will simply look for the most straightforward point of entry and build the account takeover from this point.
Account takeover can start with any piece of personal data you use when you log in to an account, such as the city of residence, date of birth, full name, and email address, all of which can be found with just a little bit of research or obtained from recent data breaches that are made available on the dark web for as little as $0.97 per thousand credentials.
After a hacker has taken over a person’s chief channel of communication, they will be able to amend everything the account grants them access to, such as encryption settings, usernames, passwords, and security questions.
This entire lockout can even result in the actual user looking suspicious when trying to resolve the problem, as they would no longer know the updated details associated with their account.
Where do threat actors locate details for an account takeover?
Criminals are able to access an increasing number of marketplaces to exchange, sell, and buy account details.
While the dark web gives people the cover of anonymity, it is now also increasingly easy to purchase accounts everywhere from Telegram groups to Clearnet cryptocurrency auction websites.
It is also possible for accounts to be accessed via data breaches whereby large databases of accounts are stolen and then freely made available for purchase on the web. Fraudsters can also find account details via brute force attacks and highly customized spear phishing attacks.
Not all account takeovers stem from stolen account data, either. Some can be created for the purpose of selling, which is known as account farming. They are typically geolocated via proxies, and they are created quickly utilizing fake devices via virtual machines. This method it is makes it easier than ever to purchase stolen IDs for a new, fake account.
The reasons account takeover is a growing problem
There are many different factors that are contributing to the increase in account takeover accounts, such as:
It does not matter whether you are operating in the cloud or not; password-based authentication is simply not enough anymore. However, the trouble is that end-users put convenience first. No one wants to remember a 20 character-long password that’s filled with symbols, do they? More often than not, it simply results in the user having to follow the “password reset” process every time they log in.
However, as long as end-users choose convenience over security, we will have this problem. Security professionals have been looking for ways to counter weak passwords for many years now. Some level of password hygiene has been implemented via the likes of password managers and Single Sign-On (SSO). Nevertheless, this is only effective when applied to onboarded services. MFA adds friction to the user experience and while it can be helpful if implemented, has also been shown to be vulnerable to hacker methods. A recent example was recently reported demonstrating success with the use of bots to intercept one time passwords.
Cracking and hacking communities are emerging on the Internet, where credential sharing and knowledge occur. One report revealed that there were 23,000 hacked databases shared on Telegram. Discord is another popular platform used by hacking communities.
Constant data breaches
As businesses continue to grapple with today’s modern IT environments, data breaches keep happening.
By the time a data breach has been disclosed, your details are probably already being sold on the dark web.
Last year, it was reported that 500,000 Zoom accounts were for sale on the dark web. Plus, it was not that long ago that 3.27 billion stolen account logins were revealed in a COMB collection on RaidForums.
The attack surface is growing all of the time
We also cannot ignore that business operations are modernizing all of the time, and this is increasing the attack surface for a lot of companies. More platforms, tools, software, and apps mean that there is more to secure.
Cloud security is something that businesses of all sizes are finding difficult. The mass remote working environment and sprawling infrastructure pose challenges for security professionals. There is a heightened need for users to be appropriately authenticated in this environment, across all websites, mobile apps and APIs, ensuring users are who they say they are before access is granted. APIs are a common entry point as they are often overlooked and can have less sophisticated defenses than websites.
What are the goals of account takeover?
Understanding account takeover helps to learn about why someone would want to gain access to your account in the first place. Some of the different reasons for account takeover are as follows:
Account takeover attacks can target many different business end-users, resulting in long-term damage to an enterprise’s data privacy and security reputation.
Business email compromise
Sophisticated attackers steal the credentials of a central employee, using this information to carry out an attack from the actual employee’s email address. The objective here is to set up a fraudulent transfer of funds or transaction.
Surveillance account takeover
This happens when other people utilize the account to carry out surveillance for the purpose of launching personalized attacks.
Some attackers steal employee credentials to sell them on the black market and make a profit.
Finally, there are cases whereby attackers try to use a hacked email account to launch an undetected phishing campaign.
When accounts have stored value, they can be depleted of cash, gift cards, loyalty points, crypto, before the account takeover is identified. This is becoming increasingly common in crypto exchanges where the recovery and recourse of stored value presents additional challenges due to decentralisation, privacy, and limited consumer protections through regulation.
How much an ATO can cost your business
It is difficult to put a monetary value on an Account Takeover loss because every business is different, and every attack is different. However, there are very real consequences for businesses that have suffered an ATO attack, including the following:
- Hacks and security problems put a huge strain on your IT department
- Users will end up turning to the competition because your brand trust and reputation will be eroded
- Your finance department is going to need to fight chargebacks
- Support is overwhelmed by requests from customers while attempting to reclaim their account
Corporate valuation can also plummet after the breach has become public.
Account takeover techniques
Many different techniques can be used to gain access to someone’s account, so let’s take a look at them in further detail:
A man-in-the-middle attack happens when a third party (a man-in-the-middle) intercepts communication between two parties. This can happen via any type of online communication such as social media, banking, eCommerce, web browsing, and email.
The third party can “listen” to your conversations or attempt to inject data so they can gain access to an app or browser to move data or even compromise the device entirely.
Once they have access to your device, they can do endless amounts of damage; install malware, transfer data files, steal credentials, and spy on you.
Mobile Banking Trojans
The FBI has recently warned about fraudsters and cybercriminals increasingly targeting mobile banking apps to steal credentials and carry out account takeover attacks.
People widely use their mobile devices to carry out banking activities, such as transferring funds and cashing checks. As the public increases its use of mobile banking apps, it is likely that cyber threat actors will increasingly exploit these platforms.
As a consequence of this banking shift, cybercriminals and fraudsters are increasingly deploying the likes of Trojans and malware, as well as fake apps, in an attempt to steal credentials and take over accounts.
Malware is one method cybercriminals use to steal valuable data from unsuspecting individuals. Nevertheless, with a robust fraud prevention and bot detection program in place, you can reduce the chances of this happening.
But, what is malware? Malware is a catch-all term for any sort of malicious software that has been created to exploit or harm any programmable network, service, or device.
There are many different types of malware, including the following:
- Adware – Adware programs will push unwanted advertisements at users, typically displaying blinking pop-up windows or advertisements when you perform a specific action. Adware programs are usually installed in exchange for a different service, for example, the right to utilize a program without paying for it.
- Worms – Worms can copy themselves from machine to machine, typically by exploiting some type of security weakness in a software or operating system. To function, they do not need user interaction.
- Spyware – Spyware is a type of program that is installed onto your device, typically without your knowledge, which will capture and transmit personal data or online browsing habits and details to the user. Spyware allows its users to monitor all types of communications on the targeted device. Government agencies and law enforcement will often use spyware for monitoring and testing communications during an investigation or in a sensitive environment. However, consumers can also access spyware, allowing people to use it for unethical reasons, i.e., spying on someone else.
- Scareware – Cybercriminals will scare people into believing that their smartphones or computers have become infected so that they can convince victims to buy a fake application. During a typical scareware scam, you may notice a worrying message while browsing the Internet that says “you have a virus” or “warning: you have been infected.” Cybercriminals utilize programs like this and unethical advertising practices to scare users into buying rogue applications.
- Ransomware – This is one of the most popular types of malware, as it is so profitable. Once the malware is installed onto the victim’s machines, it will encrypt their files, and then it will demand a ransom for the data to be returned. Even if you pay the ransom, there is no guarantee that your files will be returned to you.
- Viruses – A virus will typically come as an email attachment that carries a virus payload or some of the malware that carries out the malicious action. After the victim opens the file, the device will become infected.
Cybercriminals will usually use malware to extract data that they can use over their victims for financial gain. This data can range from personal emails and passwords to healthcare records and monetary data.
Some of the different ways that cybercriminals use malware today include the following:
- Infecting computers and using them to mine cryptocurrencies
- Assume control of several computers to launch denial-of-service attacks against other networks
- Steal consumer credit card data or different types of financial data
- Trick a victim into providing personal data for identity theft
SIM Card Swapping
A SIM swap attack happens when a hacker uses several techniques, aimed at tricking the mobile provider, to transfer a victim’s phone number to their own SIM card.
Once they have access to the phone, they can successfully bypass multi-factor authentication and take over sensitive accounts. This is one example how MFA can be bypassed to successfully conduct an ATO attack.
A fraudster will usually purchase a list of stolen credentials via the Dark Web. This can include a wide range of data, including email addresses and corresponding passwords.
This information can also be utilized to get unauthorized access to a number of accounts based on the assumption that a lot of people reuse the same passwords and usernames again and again.
Credential stuffing incidents tend to use bots that attempt to access an account through automated scripts. This is a fast and cost effective means to test thousands of credentials across many websites and as such remains one of the most common means to takeover accounts.
Another credential stuffing method is a brute force attack or credential cracking. It involves attempting to guess the correct password for the account by making many different log-in attempts with different passwords every time. Automation is exploited such that it’s possible to quickly test a vast number of passwords to find the proverbial needle in the haystack.
If the authentication process demands multi-factor authentication, i.e., a one-time password and fingerprints, gaining access may be challenging, but it is not impossible. The bots used today are incredibly sophisticated.
Last but not least, people are the weakest security link because we have a neutral tendency to trust others, which is critical in effective social engineering attacks.
Phishing scams are engineered to impersonate well-trusted and known individuals and brands. They look legitimate and can use emotional appeals to ask people for donations.
People are then persuaded to click on the links, which redirect them to open an attachment that will install malware on their computer or head to a fake banking portal so that the malicious actor can steal their details.
Email is the most common type of phishing, yet social media messaging services and text messages (SMS) can also be used. In fact, in terms of mobile phishing, the targeted person will not even need to download an attachment. A link in the SMS can direct the user to a website that will install malware onto their device automatically.
How can you avoid account takeover?
Now that you know more about the different account takeover techniques used, it makes sense to learn about account takeover protection measures that can reduce the likelihood of exploitation..
As mentioned, there are lots of different techniques, both human and automated, that can be applied in an attempt to takeover accounts. Both need to be addressed and require different techniques and tools to overcome. Our expertise at Kasada allows us to provide the perspective that arises from automated threats. Most automated threats related to ATO start with login abuse such as credential stuffing, so protecting this surface area from bad bots is paramount yet challenging for a variety of different reasons.
It is imperative to deploy an effective bot detection and mitigation solution so you can protect your business from the threat of an account takeover. However, the trouble is that the majority of today’s bots look and act just like humans and are able to bypass outdated defenses such as CAPTCHA.
Web Application Firewalls (WAFs) don’t offer the protection that is needed
Web application firewalls are only going to protect your applications from the most evident software vulnerabilities, for example, session hijacking, cross-site scripting, and SQL injections – and not do very much for stopping modern bots.
WAFs have not been created to detect automated, real-time threats, and this is why they are not effective in protecting you from ATO attacks. This is especially the case today when you consider that sophisticated bots don’t look or act like bots anymore. Instead, they look like and mimic human behavior.
What we mean by this is that bot operators use techniques like hiding behind residential proxy networks to blend in with legitimate traffic such that blocking “bad” IP addresses is not feasible. They rotate their IP addresses constantly and coordinate “low and slow” attacks such that applying rate controls is ineffective. Bot operators also use script recorders to capture human gestures and behaviours (e.g mouse movements, stay on a page for a while, click behavior), enabling them to get past a WAF’s simplistic rule and IP-based detections.
Most Bot Management offerings can’t either
First-generation detection solutions have extended their WAFs to respond with mitigating actions. Since they are extensions of WAFs they still depend on rate limiting, device fingerprinting, and IP blocking, which have become frustratingly ineffective in terms of detecting modern bot operations. In order to look for suspicious activity that flies under the radar, they need to let automated requests in. By this point, it is already too late.
CAPTCHAs are not effective anymore
Another solution that we have seen a lot of people rely on is CAPTCHAs. However, they are simply not effective anymore.
In fact, all you need to do is a quick search on YouTube, and you will see that there are plenty of videos that teach people how to program bots so that they can solve CAPTCHAs or get past them. If it is that easy to get this information, you know CAPTCHAs can’t be doing their job anymore.
Not only this, but CAPTCHAs make the user experience a frustrating one and are detrimental to online conversions. They can actually be quite difficult for humans to solve as well. Often, it’s not very clear what’s being shown in the photographs, and it’s easy to click on a few incorrect images. If someone makes a few errors, this can easily result in a false positive. This only makes the process even more frustrating for the user, and possibly a bit embarrassing too.
How Kasada differs from outdated solutions
Kasada provides an effective and straightforward bot detection and mitigation solution, which stops five billion requests every month that are mistakenly left undetected by legacy systems deployed in-front of Kasada. We will protect your business against the damaging impact of malicious automation across your APIs, mobile, and web.
Our cloud-based service is provided alongside immersive, embedded 24/7 customer support, with no added maintenance burden placed on your internal team.
Unlike a lot of the inefficient bot mitigation tools that are out there today, Kasada is implemented within a matter of minutes, demonstrating clear ROI across multiple departments. It doesn’t depend on outdated rules, risk scoring and device fingerprinting to determine whether a request is from a bot or human. Instead it applies a zero trust philosophy to detecting bots – every request is assumed guilty before proven innocent – and Kasada looks for the immutable evidence of automation that presents itself whenever a bot interacts with a website, mobile app or API.
Our solution makes bots do the work, rather than humans. You can say goodbye to CAPTCHAs, which hurt conversions and sales levels. Instead, we use a cryptographic challenge to cleverly deter synthetic traffic by making it expensive and arduous for bots to continue their attacks. At the same time, end-users do not have to take any action, so you can be sure your consumers will be kept happy.
This is something that Hyatt has experienced in their collaboration with us. In fact, the Vice President and Chief Information Security Officer, Benjamin Vaughn stated that they saw value from the first account takeover event we prevented:
“The first time Kasada prevented an account takeover event, we saw value. We see very regular updates and new features added to the product — indicating Kasada’s commitment to continuous improvement — and full transparency on pricing. From a service standpoint, Kasada offers us an embedded, finely integrated support model that ensures the right actions are taken at the right time. Having their support team available to answer questions 24/7 is something very special. It’s immersive and demonstrates something we highly value at Hyatt — commitment to genuine care.”
Understanding how Kasada works to prevent account takeover
Kasada adapts to threats in real-time. Earlier, we highlighted the variety of different methods that are used to launch ATO attacks. One thing that you can never afford to do is wait around. Instead, you need to strike back, making the attacks too arduous and expensive to conduct.
If ATO attempts are unsuccessful and costly, the threat actor is going to think twice before attacking your network again. It simply won’t be worth the time, resources, or expense. There will be easier targets to move on to.
Let’s take a look at the three approaches we use to make sure that malicious actors are not able to take over your accounts.
- Client interrogation – Client interrogation inspects all client requests for the immutable evidence of automation left by bots when they interact with applications. Our client inspection process is completely invisible to humans, so you do not need to worry about the user experience being negatively impacted. We will look for automation frameworks and headless browsers. Plus, inference will determine if the request is from a good bot, bad bot, or a human, without needing to let a request in. One of the main problems with bot detection services today is that they need to let the requests in to determine whether or not there is a threat, and by this point, the damage is already done. However, we can determine threats before they have gotten into your network. We use our own polymorphic method to obfuscate sensors so that reverse engineering attempts can be deterred..
- Mitigative actions – There are a number of mitigative actions that we take to prevent your business from being the victim of an account takeover. For example, we use custom responses so that bot operators are deceived while also ensuring that bot attacks are way too costly to be carried out on a large scale. Our cryptographic challenges make threat actors solve increasingly challenging asymmetric cryptographic challenges as proof of work, acting as a further barrier for those looking to launch an ATO by way of credential stuffing. We also fight automation with automation. This is expensive work, exhausting computer resources with the adversary being none the wiser.
- Threat intelligence – The third piece of the puzzle is threat intelligence. We carry out a deep analysis of traffic patterns and adversarial techniques by assessing all sensory and request data, including the use of machine learning (ML). We also add any learnings from our data to the client inspection process in real-time, without there being any need for upgrades to code. This enables instantaneous defense updates and continual feedback.
Experience the benefits of Kasada and protect your business from an ATO
At Kasada, we have been leading the way when it comes to mitigating advanced bots and preventing your business from account takeover in ways that a lot of other security companies are unable to. Here are some of the different benefits that are associated with using Kasada for account takeover protection:
- Business Visibility – Not only does our solution offer robust, instant, and effective security, but it cleans up skewed data so that you can benefit from accurate web metrics that will drive your business forward. With our 24/7 support and actionable insights, you have everything you need to take your business to the next level.
- Simplicity – We have worked hard to make sure that our security solution is easy to use, manage, and integrate into your current tech stack. Virtually no maintenance is required when you use Kasada. Also, it’s simple for the users too. There’s nothing worse for a customer than going to purchase something and then having to spend your time choosing all of the yachts on-screen. Instead, we make the bots do the work so that your users can enjoy a seamless experience.
- Long-Term Efficacy – Another benefit associated with using Kasada is that we will prevent attacks from the initial page load request, including new bots. Our solution continues to remain effective by frustrating attackers and fighting back.
- Time-to-Value – We don’t use custom rules or tuning to detect bots. Instead, we detect them immediately, enabling them to act before they get into your network. With Kasada, our solution is deployed and will provide time-to-value within just 30 minutes.
If you would like to find out more about Kasada and how our solution can benefit your business, please do not hesitate to get in touch with us today. You can request a free instant test to see if your website can detect modern bot attacks or send an email to firstname.lastname@example.org, and we will get back to you as soon as possible. Alternatively, you can request a demo to see Kasada in action.