Account Takeover Attacks And How to Prevent Them

How Is Account Takeover Fraud Executed?

ATO attacks include a broad range of malicious activity with the intent to unlawfully take control of an individual’s account. Broadly speaking, these types of attacks fall under two categories:

• Credential stuffing attacks: A fraudster attempts to gain access to an account by testing password and username pairs using an account-checker tool. The vast majority of these attacks are automated on a massive scale through the use of botnets. The login credentials used to commit ATO attacks are typically obtained from publicly available sources or purchased on data breach marketplaces on the dark web, although more sophisticated attackers may opt to scrape the combolist themselves. From there, the attacker typically casts a wide net, unleashing their botnets on specific companies or multiple organizations with active online accounts that they may be able to compromise and monetize. Additionally, fraudsters may attempt to apply credentials from one compromised account to other online accounts associated with the legitimate account holder. In doing so, the attacker can acquire more credentials, information, or digital assets, particularly given internet users’ misguided propensity towards reusing the same login credentials for multiple accounts. With the rapid growth of the blockchain industry, cryptocurrency exchanges have become attractive targets for cybercriminals and now rank high alongside more traditional targets such as banks, healthcare organizations, and ecommerce platforms.

• Targeted ATO attacks: Unlike credential stuffing attacks, this form of ATO attack, colloquially known as spear-phishing, is far more focused and multipronged. The target, typically a specific organization or high net worth individual, is preemptively selected on the potential for monetization or the target’s access to/centrality within a broader target organization. From here, the attacker looks for a way to acquire the login credentials of the target, employing a broad range of approaches ranging from social engineering tactics to outright brute force attacks to crack into the victim’s account. In many cases, an attacker will choose to compromise a target account through some form of social engineering rather than relying on exposed credentials, as this method, if successful, is far more likely to discreetly obtain usable credentials. Once compromised credentials are included as part of a public/dark web data dump they don't stay active very long, as this overt dump usually leads to the authentic credential owner or another fraudster changing the relevant credentials. Additionally, when launching more advanced ATO attacks, malicious actors will often ensure that they acquire backup authentication methods such as two-factor authentication (2FA) prior to attempting to take over the target account. Although these attacks are conducted more slowly and methodically than other types of attacks, in most instances they blend in with legitimate user requests and account sessions and are therefore harder to detect.

While the above categories cover the majority of online account takeover fraud, sim-swapping attacks, which target victims’ phone numbers, are equally devious and often serve as a component of a larger, multipronged ATO attack.

How to Prevent Account Takeover Fraud 

From an account holder perspective, the best protection against ATO attacks is the use of a strong user authentication approach such as 2FA across all online accounts. While this is the easiest and most effective way for internet users to avoid falling victim to an ATO attack, there are a number of other countermeasures which are worth considering:

• Hardware security keys: One form of 2FA is a hardware security key, such as Yubikey, which you can plug in via USB. These keys provide a strong level of protection by delivering hardware-backed, cryptographic proof of your identity. They ensure that only the holder of the physical hardware key can gain access to an associated account, even if an attacker has compromised your password or successfully executed a SIM-swap attack on your mobile device. This mitigates the risk posed by phishing, person-in-the-middle, and replay attacks that rely on stolen passwords or one-time password (OTP) codes.

• Secure 2FA: Certain 2FA providers allow users to control the devices that can access that 2FA. Allowing only one device to access the 2FA protects users in the event they are the victim of a sim-swap attack.

• Active password management: The average internet user has dozens of online accounts, many of which can be accessed using the same password, and therefore it should be no surprise that more than a quarter of data breaches are caused by weak and repetitive passwords. As a result, complex, deliberately managed passwords are the first line of defense against potential account takeover attacks, and this process can be significantly streamlined with the use of password managers, which offer an easy way to securely create, manage, and store passwords across multiple accounts.

• Double-checking digital communications: Many account takeover attacks gain their first foothold in a target’s account through a successful phishing scam, which can lead to the victim divulging confidential information or inadvertently installing keylogging malware onto their device. Thus, internet users should always be cognizant of phishing attacks and how to identify them, so they can effectively flag potentially misleading communications at the initial point of contact.

• Secure digital asset storage: While there are pros and cons to spreading your digital assets across multiple accounts and wallets, one reliable method to protect your assets involves keeping them in a cold wallet. While crypto assets in a cold wallet may be harder to access and exchange, these same features make those funds substantially harder to steal even if your account is compromised.

• Active email management: Many users have only one email account, but this poses a risk if a company that you’ve used the email address to sign up with is hacked. For this reason, creating an email address that’s specifically associated with your cryptocurrency account minimizes the vulnerability of that email address.

From an enterprise perspective, there are several best practices a company can use to provide online safety relatively easily, such as implementing thresholds for failed logins, emailing users when new logins from unexpected devices or IP addresses occur, and using out-of-the-box cybersecurity technologies like webapp firewalls (WAFs).

High-risk organizations that take cybersecurity seriously have also begun to implement services that leverage artificial intelligence (AI) to detect abnormalities in online behavior and other data signals to differentiate between legitimate human user activity and automated ATO attempts. Sophisticated defensive systems incorporate multiple inputs: network and device-level data points such as IP address and device version, user mouse movements, keystroke patterns, and page response rates, and screening for questionable requests. Although new advances in threat prevention continue to develop, the best way to help prevent phishing and account takeover fraud at the enterprise level is through user education and training.

Preventing Account Takeover Attacks: You Are the First Line of Defense

In the digital era, the online accounts and login credentials that grant us access to our contacts, resources, and services have come to represent an ever-growing part of our lives. Our physical and digital worlds continue to converge, creating new targets and attack verticals. There are few worse feelings than finding out that your confidential information has been compromised.

So while many organizations have taken steps to protect their employees and users from potential account takeover attacks, the growing level of sophistication among bad actors underscores the difficulty of relying purely on technical solutions. As an internet participant, you  must play a critical role in protecting yourself online.