What Is Account Takeover Fraud (ATO)?

Account takeover techniques are usually automated using scripts that potentially contain thousands of credentials and user accounts. Revenue generated from a successful attack can reach millions on darknet markets for an advanced attack.

Attackers can also download cracked passwords from darknet markets to attempt ATO on the same user accounts on their target site.

After the attacker has a long list of credentials, several ATO applications are available for download. A few notable tools include SentryMBA, SNIPR, STORM, and MailRanger. The following image is one of the main windows in SentryMBA:

SentryMBA is an automated attack tool used by cybercriminals and one of the more popular ones due to its options and general settings. At the top, an attacker inputs the site where requests are sent for authentication into user accounts. Other settings include the list of passwords and usernames, the ability to save a list of successful authentication attempts, and timeout settings that help that attacker avoid detection. The entire ATO attack is automated, so most of the effort is spent stealing credentials. Tools such as SentryMBA can run indefinitely on the attacker’s computer until it creates a list of stolen accounts.

In some account takeover fraud scenarios, an attacker will not use the initial ATO attack on the primary target site. As users commonly use the same credentials across several sites, an attacker might use a site with weaker cybersecurity defenses and fraud detection to validate credentials.

If a user employs the same credentials across multiple sites, the attacker’s successful authentication into one site might work on the primary site. For instance, an attacker might use SentryMBA to authenticate into a popular hotel site, knowing most users have accounts with prominent hotel brands for traveling. If authentication is successful on the hotel site, it could also be successful on a banking site. By validating credentials on a secondary site first, the attacker reduces the number of authentication attempts, minimizing the likelihood of detection.

With a list of successfully authenticated accounts, an attacker has two choices: transfer money or sell the validated credentials online. Attackers can transfer funds from a targeted user’s bank account to their accounts. On credit card sites, an attacker could order new credit cards in a targeted user’s name but send new cards to their address. If a site doesn’t have proper ATO fraud detection, targeted users have no idea when money is transferred, or a credit card is sent to a new address.

Selling the list of authenticated accounts could mean a high payout for attackers. The value of just one hacked account depends on the amount of data stolen and the type of account. For instance, a PayPal account could be worth $1,200, while a targeted user’s personal data could be sold from $40 to $200. Bank cards are worth $800 to $1,000. With hundreds and potentially thousands of accounts, an attacker could have a hefty payday selling on darknet markets and limit detection compared to directly stealing from victims.

ATO fraud is not limited to banking and credit card accounts. Attackers can also use rewards cards and services, including stored points on hotel accounts and airline miles. This fraud is gaining interest because targeted users rarely monitor reward accounts for fraud compared to credit cards and bank accounts.

Darknet markets make account takeover fraud much more attractive to attackers by reducing liability as they no longer need to steal directly from targeted users. Attackers wanting to steal directly from targeted users can simply purchase valid accounts on darknet markets instead of performing the arduous task of cracking passwords.

While darknet markets make it easier to steal from users, increased online financial accounts and offerings also fuel the market. Targeted users often have many financial accounts spread across several websites. The proliferation of financial accounts and online presence means an increase in the attack surface for ATO fraud.

By implementing these strategies, you can better detect and prevent ATO fraud and protect your accounts from unauthorized access.

To prevent the ramifications of ATO fraud, proactive measures are imperative to protect sensitive information and monitor accounts for suspicious activity.

By implementing these prevention strategies, individuals and businesses can take the initiative to effectively prevent ATO attacks and better protect sensitive information and accounts from unauthorized access.

In addition to employing prevention strategies against account takeovers, several tools and solutions can help minimize the potential of ATO attacks.

Threat Intelligence and Monitoring

These tools monitor and analyze data from various sources, including known blacklists, data breaches, and suspicious online activities, to detect potential threats and account compromises. They can provide real-time alerts and help prevent fraudulent access attempts.

Account Activity Monitoring and User Profiling

Solutions that monitor user account activities, such as login history, transactions, and changes to account settings, can identify unusual or suspicious behavior. User profiling involves analyzing historical data and user behavior to establish patterns and detect anomalies.

User Education and Security Awareness Training

Cybersecurity training to educate users about common attack methods, phishing techniques, and best security practices can help prevent account takeover fraud. This includes promoting strong password hygiene, caution against sharing sensitive information, and providing guidance on recognizing and reporting suspicious activities.

IP Geolocation and Anomaly Detection

These tools analyze the geographic location and behavioral patterns associated with login attempts. They can identify suspicious activities, such as login attempts from unfamiliar locations or unusual login patterns, and trigger additional security measures or alerts.

Device Fingerprinting

This technique involves collecting and analyzing device-specific data, such as IP address, operating system, browser type, and cookies, to create a unique identifier or “fingerprint” for each device. Fingerprinting helps detect anomalies like login attempts from unrecognized devices and flags potential account takeover attempts.

Behavioral Biometrics

Behavioral biometrics solutions analyze user behavior patterns, including keystrokes, mouse movements, typing speed, and navigation patterns, to establish a baseline of normal behavior. Any deviations from the baseline can trigger alerts and indicate possible fraudulent activity.

It’s important to note that these tools and solutions should be implemented as part of a comprehensive cybersecurity and data protection strategy, as tailored to the specific needs of the organization or individual, and regularly updated to address emerging threats and vulnerabilities.

By using Proofpoint’s solutions, organizations can prevent and detect ATO attacks, protecting their sensitive information and accounts from unauthorized access.