IT and security professionals are trained to look ahead – anticipating the next big attack vector, whether it’s AI-powered malware or sophisticated zero-day exploits. But while security teams focus on the cutting edge, one of the oldest security threats remains just as effective as ever: account takeover (ATO).
Why? Because credential stuffing has evolved into a full-scale industry.
Kasada’s threat intelligence team recently infiltrated 22 credential stuffing groups, exposing the inner workings of these highly organized cybercrime networks. What we found confirms what we’ve long suspected: the ATO problem isn’t just about passwords. It’s about the industrialization of fraud.
Credential Stuffing – An Advanced Ecosystem
Credential stuffing is often dismissed as a low-effort attack – bad actors taking advantage of users who reuse passwords. While that part is still true, today’s credential stuffing operations are anything but amateur. The groups we infiltrated are running what can only be described as fraud enterprises, complete with customer support, subscription-based attack tools, and even “money-back guarantees” if stolen credentials don’t work.
Key insights from our infiltration:
- Automated credential stuffing is getting smarter. Attackers aren’t just brute-forcing credentials; they use machine learning to optimize success rates, automatically adjusting attack parameters based on real-time feedback.
- Fraud-as-a-Service has lowered the barrier to entry. You don’t need technical expertise to launch an ATO attack anymore. For as little as $50, someone with zero coding skills can buy access to pre-configured credential stuffing tools that bypass common defenses.
- Targeted industries are expanding. While banks and retailers remain prime targets, attackers are increasingly going after healthcare portals, travel rewards programs, and even pharmacy accounts, where stolen credentials can be monetized in unexpected ways.
Why ATO Defenses Are Failing
Many security teams rely on MFA, CAPTCHAs, and IP blacklisting to combat ATO attacks. Yet, these groups treat those defenses as mere speed bumps. Here’s why traditional defenses are struggling:
- MFA bypass techniques are for sale. We found multiple services offering MFA bypass tools – some as cheap as $15 per attempt – using social engineering, OTP relay attacks, and session hijacking.
- CAPTCHAs don’t stop bots anymore. Attackers employ CAPTCHA-solving services, using AI or cheap human labor to bypass challenges instantly.
- IP blacklisting is obsolete. Proxy networks allow attackers to rotate millions of IP addresses, making blacklisting a game of whack-a-mole.
The Rise of ‘Invisible’ ATO Tactics
One of the most concerning trends we uncovered is the shift toward low-and-slow ATO attacks designed to evade detection. Instead of flooding a site with login attempts, attackers are:
- Mimicking human behavior. Bots now pause between login attempts, switch devices, and mimic normal browsing patterns to avoid triggering security alerts.
- Leveraging residential proxies. These make bot traffic appear as though it’s coming from legitimate users rather than data centers.
- Using breached session cookies. Attackers are skipping the login page altogether, purchasing valid session cookies from malware-infected devices to access accounts undetected.
Shifting Left: Fighting ATO at the Source
Security teams often focus their ATO defenses at the point of login – implementing MFA, monitoring failed attempts, or flagging suspicious sessions. But that’s too late in the attack chain.
By the time a bad actor is attempting to log in, the damage has already been done. Instead, companies need to shift left and stop attacks before credentials ever reach the login page.
Here’s how:
- Block automated traffic before authentication. If an attacker can’t even test credentials against your system, they’ll move on to an easier target.
- Detect the artifacts of automation. Rather than relying on CAPTCHAs, look for hidden bot signals – headless browsers, script-based automation, and tampered device attributes.
- Monitor the dark web for leaked credentials. Attackers are sourcing credentials from breaches before they’re widely known. Proactively monitoring for stolen logins gives you time to force password resets before they’re exploited.
ATO is a Bot Problem – Solve It Like One
At its core, account takeover isn’t an authentication problem. It’s a bot problem. And that means the best way to stop it isn’t with more friction for users – it’s by stopping automated attacks before they begin.
Kasada specializes in identifying the artifacts of automation – without relying on CAPTCHAs, without frustrating customers, and without letting attackers waste your resources. If credential stuffing groups are operating like businesses, it’s time to take a business-minded approach to stopping them.
Want to learn more? Here are some helpful resources:
- Join me during our upcoming webinar with RH-ISAC and Loyalty Security Alliance (LSA), “Inside the ATO Underground: 2025 Account Takeover Trends and How to Stop Them” on February 25, 2025.
- Check out our 2025 ATO Attack Trends Report based on Kasada’s infiltration of 22 credential stuffing groups.
- You can also book a demo with our security experts to see how Kasada helps companies shift left, stop bots, and prevent automated threats such as ATO.
