What is an Account Takeover (ATO)?
The practice of gaining illegitimate access to user accounts, most commonly through sophisticated and automated attacks.
How do ATOs work?
ATOs use three resources.
- Stolen user credentials readily available on the Dark Web
- Infrastructure to deliver the attack (e.g., proxies, compromised servers and devices, etc)
- Attack toolkits to manage the attack (e.g., SNIPR, BlackBullet, SentryMBA, etc)
Within the attack toolkit, the bad actor will define the target web property, such as a social media, financial services or retail web site – or any organization that incorporates an infrastructure where users are encouraged to register or create an account and interact with other users.
They will then use the stolen credentials and automation to repeatedly attempt to login. The automated attack can be executed against the login registration page itself (form fill) or more commonly it is executed against the login form APIs.
The stolen user credentials need not be from the target web property; the bad actors are relying on the fact that 52% of all users will reuse login credentials on multiple sites and therefore, the millions of credentials available on the dark web will be sufficient. Successful logins are then resold, a process also known as credential stuffing.
More sophisticated attack objectives will extend beyond basic account validation to incorporate other forms of application business logic abuse resulting in theft or fraud.
What are the goals?
The most basic goal of an ATO is to make money by validating the user identity, known as credential stuffing, then resell it on the dark web for more advanced malicious purposes. More advanced ATO goals can be broken into two categories – theft and fraud. Theft can be defined as stealing the value of the compromised account (your savings). Fraud would entail taking advantage of the unique value the account provides, such as loyalty points.
What is the impact on an organization?
ATOs often lead to a secondary, more malicious attack that may result in theft or fraud, thereby impact the organization directly.
- Theft of the contents of the compromised account (e.g., financial services) will impact the organization financially in the form of account reimbursement. Reputation bombing through an account take over will have a financial impact to the target organization from customers who lose faith and trust in the organization, taking their business elsewhere.
- Gift card and loyalty program fraud will impact an organization financially through reimbursement of customer’s stolen gift cards and points, and the cost of the goods purchased with the stolen cards. According to a pymnts.com report, 48% of the organizations with loyalty and rewards accounts have been hit by ATO (Account Takeover) attacks. This has cost companies more than $2.3 billion worldwide.
- Denial of inventory, a variant of an Application DDoS attack where purchases are partially executed, locking inventory out, will impact the target organization financially through lost or discounted sales and longer term, lost customers.
Organizationally, ATO attack impact can be wide ranging, distracting teams from their daily roles to address a wide range of challenges. Legal teams need to address a range of possible lawsuits from both customers and investors. Compliance teams will need to address regulatory challenges if data or intellectual property has been stolen. Public relations and marketing will need to respond to press and analyst queries to maintain brand image, in some cases, distinguishing between an ATO attack and a data breach. While both are security incidents, they may impact the organization in different ways. Ensuring customer support can adequately manage angry customers while maintaining positive morale, while addressing their normal roles and responsibilities.
What types of applications and industries are targeted by ATOs?
ATOs are wide-reaching, targeting any organization with web, mobile, API-based applications that incorporate an infrastructure where users are encouraged to register or create an account and interact with other users. Highly targeted industries include social media, retail, financial services, payment platforms, gaming and media. A recent example of an ATO used against high tech corporations indicate a broadening of use and intent.
Preventing Account Takeover Attacks with Cequence Security
Cequence Application Security Platform prevents account take overs and their secondary objectives using a patented machine-learning analytics engine that detects account login attempts that are malicious and allows you to creatively mitigate them through blocking, rate limiting, or deception.