April 30, 2020by Cybersixgill


Although the basic threat of a fraudster logging into someone else’s account using stolen credentials is nothing new, the reality of account takeover (ATO) attacks is becoming more serious.

While the experience of having one’s identity stolen can be traumatic, the financial brunt of ATO attacks is felt more by the affected companies than by the legitimate customers impersonated in the attacks. All told, digital fraud prevention company Forter has found that ATO attacks accounted for 16% of fraud-related losses as of the end of 2019.

More recently, the COVID-19 outbreak has exacerbated this threat. Not only has it increased consumers’ reliance on the internet, but it has empowered threat actors to defraud consumers, increase their hacking attempts, and carry out phishing attacks that can lay the groundwork for subsequent account takeovers.

And the harm done by ATO attacks isn’t just a matter of stolen revenue. For eCommerce companies, some of the most common methods of preventing these attacks (such as additional verification steps) can themselves dig into sales revenue by adding friction to the customer journey.

To shed light on the growing threat of account takeovers and ways to prevent them, we recently teamed up with Forter to offer a webinar and compile a report exploring the latest relevant trends that businesses and financial institutions should know about. In addition to offering recommendations on how to avoid becoming the victim of an ATO, the report and webinar provide explanations and examples of some of the most worrisome aspects of the ATO ecosystem.

Here are five particularly alarming ATO trends that we've identified:

1. The scope of ATO attacks is increasing.

Account takeovers are becoming more common, and their financial impact is increasingly making them a central security concern for businesses whose websites rely on user accounts.

This trend should concern these companies, but it comes as no surprise. Because the scale of eCommerce has increased in recent years, the financial incentives for hackers and fraudsters – and the financial risk for victimized companies – have likewise grown. A slew of data breaches has left vast numbers of customers at risk of being impersonated in ATO attacks. And as the sale of leaked details on the dark web continues to develop, it becomes easier for fraudsters to wreak havoc using these customers’ accounts.

Another factor contributing to the scope of the problem of account takeovers is the use of tools allowing fraudsters to check credentials on multiple systems (credential stuffing). With many people using the same email address or username and password on various platforms, these individuals face the risk that one compromised account could allow fraudsters to impersonate them on any number of other websites.

2. More-detailed account information has become available on the dark web.

To make sense of the account takeover ecosystem, it is important to understand the role the dark web plays in the sale of stolen credentials. This diagram lays out the five stages of the process:

Gone are the days when a batch of stolen credentials simply included passwords and either usernames or email addresses. The data we at Cybersixgill gather from the dark web shows that it has become common for leaked account details to include much more detailed information, which can help fraudsters avoid detection. For example, we see that many sets of credentials sold over the dark web include the user’s language, country, IP address, and billing address, as well as information related to their credit card – details that can be used to support a fraudster’s localization efforts.

3. The quality of customer service on the dark web has improved.

The comprehensiveness of available account details is far from the only way in which the dark web’s ability to drive ATO attacks is expanding. Today, we frequently see batches of pre-tested account credentials for sale on underground forums, so that the fraudsters who buy these credentials can be confident that they will work. Not only does this step increase the chances that a given ATO attempt will be successful, but it saves time for the fraudster – allowing them to work more efficiently.

In addition, the level of customer service shown by many threat actors looking to sell stolen account details on the dark web is now comparable to the level of service shown by legitimate online companies. The business model used by these sellers depends on positive customer reviews, and they act accordingly. For example, many of them use accepted marketing practices and offer refunds in case credentials they have sold turn out to be unusable.

4. Fraudsters are getting more sophisticated.

Just as the hackers who steal account details are innovating and evolving, so are their customers – the fraudsters who buy these account details and use them to carry out account takeovers. These fraudsters know that today’s companies can quickly detect unusual account activity, and they are adjusting their practices to avoid getting caught.

In many cases, this means taking advantage of the greater level of detail available for each leaked account being sold on the dark web, such as localization data. Forter has recently seen an increase in fraudsters engaging in device spoofing using emulators – one method of avoiding setting off alarms for using a computer or smartphone different from the account owner’s actual device.

Forter has also recently seen fraudsters increasingly taking steps to hide the fact that the products they order online are being shipped to an address different from the account owner’s. In some cases, the perpetrator of an ATO will use their own shipping address but manipulate it slightly to avoid arousing suspicion. In other cases, the fraudster will leave the victim’s mailing address as is and instead directly contact the shipping company to reroute the package to a different address of the perpetrator’s choosing.

5. Attacks are expanding beyond the credit card.

For fraudsters carrying out ATO attacks, the problem with using a credit card attached to the compromised account is that the account owner can discover and report the fraud relatively quickly and easily. In light of this risk, many cybercriminals look for alternative ways to monetize their activities.

Specifically, we are seeing many instances of paid accounts such as those on Netflix and Spotify for sale on the dark web – accounts that have intrinsic value, allowing fraudsters to monetize an attack without needing to make a purchase via credit card. We are also seeing a dramatic increase in the fraudulent use of loyalty club points, such as airline miles – an alarming trend, given that loyalty clubs are specifically designed for companies’ most valuable customers.

Managing the ATO Threat

Although the risk posed by account takeovers is expensive and growing, taking the right precautions can help protect both businesses and individuals.

For individuals, this is largely a matter of following general best practices for cybersecurity, including picking different credentials for accounts on different platforms. But we know that many individuals do in fact use the same credentials on multiple platforms. As a result, given that the dark web enables fraudsters to buy massive numbers of stolen credentials, even platforms that have not themselves fallen victim to a data breach can ultimately suffer from ATO attacks due to credential stuffing.

That makes rapid detection a critical element enabling businesses and financial institutions to stay safe from account takeovers. Given the growing sophistication of both the hackers who steal credentials and the fraudsters who attempt to use them for ATO attacks, managing this threat is largely a matter of using the most advanced and comprehensive digital technology for identifying and preventing fraud attempts.

For a closer look at the trends that Cybersixgill and Forter see in the realm of account takeovers, download our free report, You Are the Product: Combating the Growing Sophistication in the Stolen Credentials Marketplace.

You may also like

A close-up, detailed, and vibrant image of a microscopic cell with numerous tentacle-like extensions, depicted in shades of pink and purple against a blurred blue background.

May 15, 2024

Black Basta's Devastating Attack on a US Hospital System: Lessons Learned and Protective Measures

Read more
Screen showing a malware alert

May 09, 2024

New 'Latrodectus' Malware Linked to Notorious 'IcedID' Developer: A Deep Dive into Targets, Potential Impact, and Remediation Steps

Read more
Chris Strand-Thumbnail

May 07, 2024

Enhancing Security Posture with Cyber Risk Intelligence Part 2

Read more