Although malware and ransomware are commonly identified as the top security risks for organizations to mitigate, another risk is rapidly evolving behind the scenes—and it is becoming a top cybersecurity concern for organizations in 2022.
This risk is called account takeover (ATO). Even though ATO attacks have been around for a decade, solutions are still not doing enough to protect their customers from the sophisticated and evolving strategies attackers use.
According to the 2022 Cyberthreat Defense Report by CyberEdge Group, 85% of organizations were the victims of a successful cyberattack in 2021. That number will only continue to increase unless organizations of all sizes take the necessary steps to secure their data.
Account takeover is a risk you cannot afford to take
Account takeover is a type of fraud in which an attacker gains access to another person’s online account. Cybercriminals take over accounts by stealing the victim’s login credentials, using malware, or finding and exploiting vulnerabilities in the security of the accounts. Once the attacker has control of the account, they can use the account and change the credentials, steal credit card details to use in a different place, or commit other types of fraud.
Account takeover (ATO) can have serious consequences for both individuals and businesses. For individuals, personal information may be compromised, and they may be unable to access their accounts. For businesses, account takeover can lead to significant financial losses and damage to their reputation.
ATO risks aren’t going away anytime soon, either. ATO attacks increased 307% between 2019 and 2021.
The rise of account takeover fraud
One of the first prominent instances of account takeover fraud was the Target breach in 2013. In this incident, fraudsters stole millions of customer credit and debit card numbers by gaining access to the retailer’s point-of-sale system.
Since then, account takeover fraud has become an increasingly common problem. In 2018, there was a major account takeover attack on Ticketmaster, in which fraudsters gained access to customer account information. And this year, we have seen account takeover attacks occur in all industries – from financial services to online grocery providers to streaming services–affecting millions of people.
Account takeover fraud is a serious problem that is only getting worse. There are several factors that have contributed to the rise of account takeover fraud:
The growth of online commerce
As more businesses move online, there are more opportunities for fraudsters to commit account takeover fraud. E-commerce businesses are particularly vulnerable, as they often store large amounts of customer data, including credit card numbers and account login information.
Social media accounts usually have weak security, and they contain a lot of personal information that can be used to commit fraud or identity theft. Many social media platforms store birthdates, addresses, and phone numbers. This makes account takeover a serious security issue for our favorite social networks.
The increase in data breaches
Cybercriminals are able to obtain login credentials from data breaches, which they can then use to take over accounts. They can also buy stolen login credentials on the dark web and use them for credential stuffing attacks and other forms of account takeover fraud.
The proliferation of mobile devices
Mobile devices are often lost or stolen, which gives malicious actors physical access to the device. In addition, phones usually have weaker security than desktop computers, making it easier for fraudsters to obtain sensitive information.
The affordable and easy access to automation
Malicious automation might initially sound expensive—but unfortunately, it is very cost-effective for attackers to use. The price the fraudster pays is minimal, but the damage the ATO attack causes is astronomical to the organization affected by the malicious activity.
Why is account takeover (ATO) hard to protect against?
Account takeover usually involves the use of stolen credentials. When fraudsters have correct login info, they can often gain access to an account without triggering any alarms.
In addition, account takeover can be difficult to detect because it often relies on social engineering techniques. Malicious actors may impersonate the victim or use other methods to trick the account holder into giving them their login information.
Unfortunately, account holders often do not realize that their account has been compromised until it’s too late.
Is it easy to commit account takeover fraud?
Yes and no. Account takeover requires a combination of technical and non-technical skills.
- Technical skills: To an extent, fraudsters need to understand coding, networking, and data analysis. They also need to be able to exploit vulnerabilities in systems and devices.
- Non-technical skills: Malicious actors need to be able to obtain personal information like birthdates, addresses, and social security numbers. They can get this information through phishing or spyware attacks.
Although the average person might not have the knowledge or skill set to commit ATO fraud, there are thousands of cybercriminals who think taking over an account is like a walk in the park. There is also a growing number of professional account takeover gangs that specialize in this type of fraud.
Most prominent security risks that facilitate account takeover fraud
There are several security risks that can facilitate account takeover fraud:
Using the same password for multiple accounts
If a fraudster obtains the login credentials for one account, they can use those same credentials to take over other accounts. This is why it’s important to use different passwords for every account.
Reusing passwords that were previously compromised
If you have ever used a password that was involved in a data breach, it’s important to change that password and never use it again.
Using easily guessed passwords
Passwords that can be easily guessed by fraudsters are one of the most common ways that account takeover occurs. Malicious actors can use password-guessing tools to try to gain access to accounts.
It’s important to use unique passwords for all of your accounts. A strong password should be at least 10 characters long and contain all of the following: uppercase letters, lowercase letters, numbers, and symbols.
Failing to enable two-factor authentication
Two-factor authentication (2FA) is an additional layer of security that can help to protect your accounts.
With 2FA, you will be required to enter a code that is sent to your phone or email in addition to your password when logging in. This makes it more difficult for fraudsters to gain access to your account, even if they have your password.
Failing to keep software up to date
One of the most important actions you can take to protect your account is to keep your software up to date. Malicious actors often exploit vulnerabilities in outdated software to compromise accounts.
Siloed assets and lack of comprehensive visibility
It’s crucial for organizations to have visibility into all of their assets in order to detect and respond to security threats.
Broken object-level authorization (BOLA) is an API vulnerability that allows fraudsters to access account data that they should not be able to see. BOLA can be used to commit a variety of account takeover attacks, such as financial fraud or data exfiltration.
Zero-day vulnerabilities
Zero-day vulnerabilities are direct opportunities for attackers. Organizations are not yet aware of these vulnerabilities, but attackers are—and that makes them a major security risk. Security teams must prioritize the discovery and elimination of zero-day vulnerabilities before it’s too late.
Malicious automation
Automated bots allow threat actors to scale up their efforts and compromise accounts more quickly than ever before. Advanced bots can also go undetected for long periods of time, which gives them a wider window of opportunity to complete an ATO attack successfully.
Common ATO fraud scenarios that organizations face
Account takeover attacks come in many forms. Here are a few scenarios that are prevalent in today’s cyber world:
1. Your company suffers from a data breach.
This is one of the most common consequences of a successful ATO attack. If you have weak credentials or don’t have two-factor authentication (2FA) turned on, your organization is more at risk.
Unfortunately, there is no surefire way to prevent a data breach. Even if you take all the right security measures, the worst-case scenario could still happen to you.
To stay one step ahead of bad bots, we recommend investing in advanced bot detection and mitigation software like Kasada’s.
2. Your credentials get stolen by malware.
Advanced bad actors may launch botnet attacks that load your work devices with malware and then take advantage of the infected devices by launching a credential stuffing attack.
3. Your employee falls for a phishing scam.
You must train your team to spot the signs of phishing emails. A single link click could compromise an employee’s device—which could cause a company-wide data breach if the attacker is successful.
ATO attacks often create a domino effect. Once one account is compromised, it is much easier for the malicious actor to gain access to other accounts. That’s why it’s so crucial to stop these attacks before they even begin.
4. Your employee gets hacked over an unsecured WIFI network.
Remote work is still booming in 2022, and that means your employees may choose to work outside of their homes or offices.
Unsecured WIFI networks at cafes, libraries, and restaurants pose an additional cybersecurity risk that you won’t have much control over since attacks can occur off-premises.
Types of ATO attacks
There are several types of account takeover attacks, such as:
Loyalty program fraud
This type of account takeover fraud occurs when fraudsters take over customer loyalty accounts and use them to redeem points or make purchases. Loyalty program fraud is a common issue for companies in the hospitality industry.
Creation of synthetic identities
In this type of account takeover, fraudsters create fake accounts using stolen personal information. They use these accounts to apply for credit cards, loans, and other services. This type of account takeover can wreak havoc on the victim’s personal finances.
ATM fraud
Malicious actors use stolen account information to withdraw cash from ATMs.
Internal phishing
This is when an employee of the company is tricked into giving their login information to the fraudster. The fraudster may pose as an IT support person or send an email that appears to be from the company. Organizations that do not train their employees to keep an eye out for phishing attacks are especially vulnerable to ATO fraud.
Spear-phishing
The attacker targets a specific person or organization. They will often have some knowledge about the victim, which they can use to make the phishing email seem more believable.
Data exfiltration
In this type of attack, the fraudster gains access to the company’s databases and steals sensitive information like customer data.
Financial fraud
This type of account takeover involves using the victim’s account to make unauthorized transactions, such as transferring money out of the account or making purchases.
Deep fakes
Deep fakes are a new type of account takeover that uses AI-generated images and videos to impersonate the account holder. This type of attack is difficult to detect and can be used for a variety of fraudulent activities, such as financial fraud or political espionage.
Supply-chain phishing
The fraudster targets a company’s suppliers or vendors. The fraudster may send an email that appears to be from the company and trick the supplier into giving them login information or other sensitive data.
SIM swap scams
A SIM swap scam is a type of attack in which the fraudster tricks the victim’s mobile carrier into giving them control of the victim’s phone number. The fraudster then uses the phone number to reset the victim’s account passwords and take over their account.
BEC attacks
BEC attacks, also known as CEO fraud or whaling attacks, are when the fraudster impersonates a high-level executive and tricks an employee into transferring money or sensitive data.
SMS OTP fraud
In this type of account takeover, the fraudster intercepts the victim’s text messages containing one-time passcodes (OTPs). The fraudster then uses the OTPs to access the account and its sensitive data.
Session hijacking via remote access trojans (RATs)
Remote access trojans (RATs) are real-looking apps that contain malware. Once downloaded, the RAT gives the fraudster access to the victim’s device. The fraudster can then use the victim’s device to log in to their account and commit fraud.
The consequences of ATO fraud
Both individuals and businesses can suffer dire consequences when their accounts are taken over by cybercriminals.
How account takeover fraud affects individuals
Individuals can suffer a range of consequences when their accounts are taken over. Here are a few examples:
- Identity theft: The fraudster may gain access to your personal information. They can use this information to commit identity theft and open new accounts in your name.
- Financial loss: The fraudster may use it to make unauthorized purchases or transfer money to their own account.
How account takeover fraud affects businesses
Businesses can also suffer serious consequences when their accounts are taken over by cybercriminals. Here are a few examples:
- Financial loss: After suffering data breaches, businesses experience financial losses in the form of lost customers and recovery costs.
- Damage to reputation: If a business’ account is taken over, they often receive a plethora of negative press, which leads to a lack of trust from current and potential customers.
- Loss of customer data: If a business’ account is taken over, the fraudster may gain access to sensitive customer data. This can lead to legal consequences for the business.
Which organizations are most at risk of account takeover fraud?
Traditionally, ATO fraud targeted financial institutions. Now, any organization that uses online accounts is at risk of ATO fraud.
Organizations of all sizes and industries can become victims of account takeover fraud. However, there are some organizations that are more vulnerable to this type of fraud.
E-commerce businesses
E-commerce businesses often hold personal customer data, such as credit card numbers and addresses. This info is valuable to cybercriminals. Therefore, e-commerce businesses are a target for account takeover fraud.
Financial services
It isn’t difficult to understand why the financial services industry is a prime target for ATO attacks.
Sophisticated account takeover attacks aim to control identities and accounts long-term by changing crucial details like addresses and phone numbers so they can gain control of funds or lines of credit. It can be difficult for financial institutions to discern real activity from fraudulent activity.
Government agencies
Government agencies have sensitive information that would be valuable to fraudsters, so they are especially vulnerable to account takeover fraud.
Healthcare organizations
Healthcare organizations are also often targeted by account takeover attacks for the same reason as government agencies. They have sensitive information that attackers could use for a variety of purposes.
Media, entertainment, gaming, and streaming services
Did you know that the media industry sees just as many ATO attacks as the financial sector? The industry has suffered from numerous data breaches that have given threat actors access to millions of credentials to test on different websites.
Additionally, the gaming industry is a major target for ATO attacks due to loyalty program fraud and the ability of attackers to withdraw money or points from an account once it has been compromised.
Myths about account takeover fraud
There are many misconceptions about account takeover fraud, and it’s important to distinguish myth from truth so you can protect your sensitive data. Let’s bust some common ATO fraud myths:
Myth 1: Only accounts with weak passwords are at risk of being taken over.
While it’s true that weak passwords are easier for fraudsters to guess, strong passwords are not foolproof. Malicious actors can use social engineering techniques to trick account holders into giving them their login information.
In addition, fraudsters can obtain login credentials from data breaches and use them to take over accounts. That’s why data breaches are so devastating for both businesses and individuals—there is a lot at stake.
Myth 2: Account takeover is a new type of fraud.
Account takeover has been around for many years, but it has only become more prevalent in recent years due to the increase in data breaches and the proliferation of mobile devices. The advancement of technology and AI has made it easier for attackers to commit ATO fraud on a large scale.
Myth 3: Only online accounts can be taken over.
While account takeover is most common with online accounts, it can also happen with offline accounts. For example, a fraudster could take over a person’s email account and use it to reset the passwords for their other accounts, such as their bank account or social media account. ATO fraud is often a multi-step process, and some of those steps can occur offline.
Myth 4: There’s nothing you can do to prevent account takeover.
There are steps you can take to protect your accounts from being taken over. For example, you can use strong passwords and enable two-factor authentication. You can also keep an eye out for suspicious activity and report it to the account provider as soon as possible.
There are many steps you can take to reduce your risk of ATO fraud. (More on that later!)
Automated methods fraudsters use to commit account takeover fraud
Automation has enabled cybercriminals to commit account takeover fraud on a grand scale.
Account takeover fraud usually starts with a phishing or spyware attack. However, once the fraudster has your login details, they can use automated methods to take over your account.
Here are a few examples of automated account takeover methods:
Credential stuffing
Credential stuffing is a type of attack where fraudsters use lists of stolen login details to access accounts. They enter the stolen username and password into thousands of websites until they find one that works.
It is relatively easy to automate credential stuffing attacks. That’s why it is a common strategy cybercriminals use to gain access to valuable information.
Types of credential stuffing attacks
- Automated account creation: the fraudster creates accounts on websites using stolen login information. The process is automated with a bot.
- Compromised account login: the fraudster tries to log in to an account using stolen credentials.
- Manual account creation: the fraudster creates accounts on websites using stolen credentials, but the process is manual—not automated.
Brute force attacks
A brute force attack is an automated method of guessing passwords. Malicious actors use special software to generate millions of password guesses and try them on your account until they find the right one.
Types of brute force attacks
- Password spraying: a type of attack that is specifically designed to target accounts with weak passwords.
- Broken authentication: when fraudsters exploit weak or stolen authentication credentials to gain access to an account.
Session hijacking
Session hijacking is a type of attack where the fraudster takes over an active session between a user and a website. This allows the fraudster to access the account as if they were the account holder.
Types of session hijacking attacks
- Cookie hijacking: the fraudster steals a user’s cookies and uses them to access the account.
- Man-in-the-middle attacks: the fraudster inserts themselves into the communication between the user and the website.
Botnets
A botnet is a network of infected computers that can be controlled remotely by a fraudster. Malicious actors use botnets to launch attacks and commit ATO fraud.
Types of botnet attacks
- DDoS attacks: the fraudster uses the botnet to flood a website with traffic, making it unavailable to legitimate users.
- Spamming: the fraudster uses the botnet to send out spam emails or messages.
- Phishing: the fraudster uses the botnet to send out phishing emails to try and trick users into giving them their login information.
Keyword stuffing
Keyword stuffing is when fraudsters use lists of keywords to access accounts. They enter the keywords into account recovery forms on websites until they find one that works.
Types of keyword stuffing attacks
- Account recovery: the fraudster uses a list of keywords to try and reset the password for an account.
How fraudsters remain unnoticed during account takeover
Fraudsters use sneaky methods to fly under the radar during account takeover, such as:
Deploying malicious automated tools and bad bots
Attackers often use bots like OpenBullet and Sentry MBA to complete credential stuffing attacks. These bad bots are difficult for many security solutions to detect. Organizations must invest in more advanced bot detection software to stop tools like these.
Using stolen login details
If a fraudster has stolen your login details, they can gain access to your account without raising any red flags. Although some platforms flag suspicious login attempts, many account takeover attempts go unnoticed.
Fraudsters may use social engineering to trick you into giving them access to your account. They may pose as customer service representatives or technical support staff and then ask for your account details.
Spoofing your IP address
If a fraudster spoofs your IP address, it will appear as though they are accessing your account from your location. This can make it difficult for businesses to detect account takeover fraud.
Cybercriminals often spoof IP addresses by using a VPN or proxy server.
Using malware
If a fraudster uses malware to gain access to your account, they can avoid detection by hiding their tracks. They may infect your computer with keyloggers or trojans to steal your login details. Once they have your information, they do as they please with it.
Using phishing attacks
Fraudsters may use phishing attacks to trick you into giving them access to your account. They may send you an email that appears to be from your bank or another trusted organization. The email will instruct you to click on a link and enter your account details.
However, the link will actually take you to a fake website that is designed to steal your information. Phishing attacks are one of the most common types of account takeover fraud.
How to detect a cyberattack
Although it can be difficult to detect cyberattacks, it is not impossible. Here are a few ways organizations can detect ATO fraud:
Employ bot detection
An advanced bot detection solution like Kasada’s will identify malicious automation and fraudulent activity that would normally go undetected.
Bot detection software can mean the difference between catching a bad actor in the act and suffering from a costly data breach.
Monitor login activity
Organizations should keep an eye out for suspicious behavior, such as multiple failed login attempts, logins from unusual locations, and logins at strange times.
Review account activity
Regular reviews of account activity can help organizations identify unauthorized transactions or changes to account details.
Check for anomalies
Organizations can use data analytics to look for anomalies in account activity. This can help them to identify unusual behavior that may be indicative of account takeover fraud.
How to protect against account takeover fraud
Too many organizations wait for problems to arise before taking action. Instead, they should be proactive in preventing cyberattacks.
Here are steps companies can take to protect their sensitive data from account takeover fraud:
2FA and MFA
Organizations can use two-factor authentication (2FA) and multi-factor authentication (MFA) to protect against account takeover. This requires users to enter a code from their mobile phone or another device in order to access their account.
Without 2FA or MFA in place, attackers will likely be able to access an account the moment they are able to guess the correct login credentials. This is why it’s crucial for organizations to implement multiple steps in the authentication process.
Hardware security keys
Even more secure than 2FA codes, hardware security keys can be used to protect against account takeover fraud. These keys are physical devices that must be inserted into a computer or phone in order to log in. They can be used to authenticate login requests and prevent account takeover attempts.
Since most modern ATO fraud occurs online, hardware keys offer an excellent layer of security for organizations.
Secure storage of digital assets
Organizations should store digital assets in a secure location, including customer account details, employee login details, and financial information.
Restricting account access
Only authorized personnel should be able to access accounts with sensitive data. This can help to prevent unauthorized account takeover attempts. We recommend reviewing access levels regularly to ensure that they are up to date.
Account tracking system
Organizations should implement an account tracking system to identify suspicious account activity and take action accordingly.
Regular backups
Regular backups can help to minimize the impact of account takeover fraud and other cyberattacks.
Monitor account activity
Monitoring account activity can help businesses detect account takeover attempts. businesses should look for suspicious login attempts, changes in account details, and unusual activity.
Active password management
Organizations should implement company-wide processes that include regularly changing passwords, using strong passwords, and not sharing passwords with unauthorized users.
Password managers
Using a password manager can help businesses to create and store strong passwords. Password managers generate random passwords and store them in an encrypted format. This reduces the risk of account takeover fraud.
Educating employees to double-check the legitimacy of online communications
Before clicking on any links or sharing account details, employees should double-check whether the emails they receive are real or not. They should look for signs that an email or website may be fake, such as spelling mistakes and grammatical errors.
Advanced bot defense
Bot defense is one of the key strategies to defend against account takeover.
Why? Because it detects and stops the technology attackers use to launch a successful ATO attack. Without functional bots, attackers cannot scale up their credential stuffing efforts because the process will not be automated.
Organizations can minimize their risk of account takeover and its dire consequences by stopping bots in their tracks—and Kasada’s bot defense solution is powerful enough to protect businesses from even the most advanced bot attacks.
You are the first line of defense in preventing ATO fraud
No one thinks they will become a victim of ATO fraud until it happens. Account takeover is a serious problem, and it’s important to be aware of the risks.
It doesn’t matter what type of organization you have—large or small, old or new—your company could become a victim of ATO fraud. However, if you take precautions to prevent cyberattacks, you will be able to mitigate the risks and reduce the damage in the event of an attack.
At Kasada, we offer bot defense solutions that prevent ATO fraud
Our technology detects and stops account takeover and other forms of online fraud. Founded on cutting-edge research, Kasada’s solution will help you stay one step ahead of cybercriminals and their sophisticated techniques.
At Kasada, we are dedicated to providing you with an all-in-one solution to preventing ATO. We offer real-time detection, insights that tell you what’s a bot and what’s not, and automated response to attacks in action.
Better yet, we’re true partners. With our 24/7/365 support, we act as an extension of your team.
If you’re ready to stop bad bots and secure your accounts more easily and effectively than ever before, schedule a demo today.