Employees on Work Computers Protected by Email Fraud Defence

What is Account Takeover Fraud?

Account Fraud Takeover Definition

Account takeover fraud, also known as account compromise, occurs when a cyber attacker gains control of a legitimate account.

Once they have control of an account, attackers can launch a variety of attacks, such as:

  • Internal phishing: Emails sent from employee to employee within the same organization using a compromised corporate account
  • Supply-chain phishing: Most organizations do business over email. An attacker who gains control over a legitimate account can assume your employee’s identity to defraud customers and business partners.
  • BEC-style attacks: Think of account takeovers as the ultimate impersonation tactic. In ATO, attackers hijack an email account to essentially become the person it belongs to. ATO attacks bypass many email authentication controls.
  • Data exfiltration: Gaining access to someone’s mailbox, attackers can access not just email, but also calendar events, contacts and sensitive data in file shares.
  • Financial fraud: If attackers gain control of someone’s bank or account or other financial services, they can steal funds directly with fraudulent wire transfers and purchases.

Account takeover techniques are usually automated using scripts that contain potentially thousands of credentials and user accounts. Revenue generated from a successful attack can reach millions on darknet markets for an advanced attack.

How Account Takeover Fraud Happens

The foundation for a successful account takeover is access to a user’s account credentials. Here’s how attackers usually compromise legitimate accounts:

  • Brute-force attacks. The attacker, usually through an automated script, tries a username/password combination across many accounts until one works. These include so-called dictionary attacks, in which attackers use common passwords and dictionary terms to guess passwords.
  • Breach replay attack (also known as credential stuffing). It’s a bad practice, but many people use the same password for multiple accounts. If one of those passwords is leaked in an unrelated data breach, any other account with the same username (often an email address) and password is at risk.
  • Phishing. Old-fashioned credential phishing remains an effect way to get a victim’s password. Without controls such as multifactor authentication (MFA), lost credentials can lead to compromised accounts.
  • Malware attacks. Keyloggers, stealers and other forms of malware can expose user credentials, giving attackers control of victims’ accounts.

Attackers can also download cracked passwords from darknet markets to attempt ATO on the same user accounts on their target site.

After the attacker has a long list of credentials, several ATO applications are available for download. A few notable tools include SentryMBA, SNIPR, STORM and MailRanger. The following image is one of the main windows in SentryMBA:

Account Takeover Fraud Tool Example

SentryMBA is one of the more popular tools due to its options and general settings. At the top, an attacker inputs the site where requests will be sent for authentication into user accounts. Other settings include the list of passwords and usernames, the ability to save a list of successful authentication attempts, and timeout settings that help that attacker avoid detection. The entire ATO attack is automated, so most of the effort is in stealing credentials. Tools such as SentryMBA can be run indefinitely on the attacker’s computer until a list of stolen accounts is created.

In some scenarios, an attacker will not use the initial ATO attack on the main target site. As users often use the same credentials across several sites, an attacker might use a site with weaker cybersecurity defenses and fraud detection to validate credentials.

If a user uses the same credentials across multiple sites, the attacker’s successful authentication into one site might work on the main site. For instance, an attacker might use SentryMBA to authenticate into a popular hotel site, knowing most users have accounts with prominent hotel brands for traveling. If authentication is successful on the hotel site, it could also be successful on a banking site. By validating credentials on a secondary site first, the attacker reduces the number of authentication attempts and reduces the likelihood of detection.

With a list of successfully authenticated accounts, an attacker now has two choices: transfer money or sell the validated credentials online. Attackers can transfer funds out of a targeted user’s bank account to their own accounts. On credit card sites, attackers could order credit cards in a targeted user’s name and send new cards to attacker addresses. If the site does not have proper ATO fraud detection, targeted users are unaware of money being transferred or credit cards being sent to a new address.

Should attackers choose to sell the list of authenticated accounts, they could have a high payout for their efforts. The value of just one hacked account depends on the amount of data stolen and the type of account. For instance, a PayPal account could be worth $1,200, while a targeted user’s personal data could be sold for $40 to $200. Bank cards are worth $800 to $1,000. With hundreds and potentially thousands of accounts, an attacker could have a hefty payday selling on darknet markets and limit detection compared to directly stealing from victims.

ATO fraud is not limited to banking and credit card accounts. Attackers can also use rewards cards and services, including stored points on hotel accounts and airline miles. This fraud is gaining interest because targeted users rarely check reward accounts for fraud compared to credit cards and bank accounts.

What Factors Increase Account Takeover Fraud Popularity

The introduction of darknet markets makes account takeover fraud much more attractive to attackers. Attackers no longer need to steal directly from targeted users, reducing liability. Attackers who want to directly steal from targeted users can simply purchase valid accounts on darknet markets instead of performing the arduous task of cracking passwords.

Darknet markets make it easier to steal from users, but the increase in financial accounts and offerings also fuel the market. Targeted users often have many financial accounts spread across several websites. More financial accounts and online presence mean an increase in the attack surface for ATO fraud.

Preventing Account Takeover Fraud

Users and website owners should take basic precautions to prevent ATO fraud. Financial and healthcare sites are common targets for attackers. These sites usually have fraud detection systems in place, but most send emails to the registered account holder when data changes.

Users should always read emails sent from financial institutions and call customer service as soon as they receive suspicious alerts. For instance, if new credit cards were sent and the account holder didn’t request them, call customer service to verify that the account was not hacked.

Using the same password across several accounts makes it easy for attackers. Always use unique, strong passwords across several accounts online. To keep track of numerous passwords, use cryptographically secure storage services such as LastPass, 1Password or Bitwarden. Be aware of phishing attacks to avoid being the victim of stolen credentials.

Website administrators must also take precautions. Account takeover detection infrastructure should be deployed to detect suspicious activity.

Should systems detect suspicious activity, the IP should be blocked. Suspicious activity can later be reviewed by analysts. For instance, an unusually high number of authentication attempts on different accounts from the same IP and operating system should trigger fraud detection. Analysts can later review the logged activity to determine if the site is a target for attackers.

Instead of locking out an IP, fraud detection systems can display a CAPTCHA after a specific number of authentication attempts. The CAPTCHA could be required for a specified duration after too many authentication requests from the same IP address.

Deploying multifactor authentication (MFA) helps protect users as well. Attackers with legitimate site credentials would be unable to authenticate without the secondary PIN sent to a user's smartphone. Automatically sending the PIN to the user’s smartphone can also alert the user to a potential account takeover attack. The targeted user can then change their site password.

With better fraud detection, website owners can protect their customer data. But customers can also ensure their data privacy by:

  • Educating themselves on the dangers and warning signs of phishing
  • Investigating links in email before they click
  • Using unique passwords for every account online
  • Always using strong passwords, especially on financial websites

Resources