How to Take Account Takeover Fraudsters Out to the Curb

Digital criminals resort to ransomware attacks, malvertising, DNS hijacking, and other techniques to prey upon organizations. These techniques commonly vary in prevalence based upon the economic sector. In a survey conducted by the Aite Group, for instance, 89 percent of executives at financial institutions said that account takeover fraud (ATO fraud) is the most common cause of losses in their digital channels. It’s therefore not surprising that 96 percent of eCommerce businesses reported having suffered a fraud attack (according to Merchant Risk Council’s 2019 Global Fraud Survey), with account takeover having placed among the top three types of fraud reported. Nor is it extraordinary that ThreatMatrix observed growth in both the number of and costs associated with ATO fraud attacks in its Cybercrime Report.

Clearly, account takeover fraud is a concern for financial organizations. So how can these businesses adequately protect themselves against this rising mode of fraud? To help organizations in this effort, it’s important to first understand what ATO fraud is, why cyberattackers are drawn to it, and why it is traditionally so hard to detect.

What is ATO Fraud?

According to Chargebacks911, account takeover fraud is a form of identity theft in which a third party obtains access to a user’s online account (i.e. they take over the account). They usually leverage a user’s stolen credentials, data, or personally identifiable information (PII) to gain entry into their victim’s accounts, notes OneSpan. At that point, the third-party abuses their access to masquerade as the legitimate user, customer, or account holder in order to change the account’s details, purchase items, withdraw funds or obtain access to other accounts held by the victimized user.

OneSpan reveals how bad actors can use various preliminary attacks to ultimately commit account takeover fraud. These malicious methods include the following:

• Data breaches: Before a fraudulent transaction takes place, attackers can lay the groundwork for account takeover fraud by purchasing personal information leaked in a breach. This data might include a user’s personal, account, and financial details. They can then use that information to authenticate themselves with the user’s account.
• Phishing: Sometimes bad actors don’t have access to a user’s account credentials. In those cases, they use phishing attacks to steal the information they need. All they need to do is craft an attack email and phishing page that both look and sound like legitimate correspondence from a trusted entity.
• SIM swap attacks: Banks and other web service providers commonly create an option where users can protect their accounts using SMS message-based two-step verification (2SV). In these cases, criminals use social engineering to swap a user’s SIM card and take control over their mobile phone number. They then leverage that access to reset the user’s account credentials and bypass 2SV protection.
• Malware: Bad actors don’t always need to use social engineering. They also turn to compromised websites and similar sources to distribute malware. These programs commonly employ keyloggers, fake login overlays, and other tricks to steal users’ login credentials.
• Man-in-the-middle (MitM) attacks (aka Man-in-the-Browser): Digital criminals steal users’ login credentials by injecting themselves into a communication channel between a target and the entity with which they’re attempting to communicate. Bad actors commonly pull off this campaign, known as a MitM attack, by tricking users into connecting to a malicious Wi-Fi network. This allows attackers to intercept all data that the target sends and receives while connected.

Understanding the Draw of Account Takeover Fraud

Cybercriminals are drawn to ATO fraud because there are numerous possibilities for achieving their ultimate goal, extending beyond the act of taking over someone’s account. To start, attackers use stolen information to access a user’s account and change their contact information. Doing so helps lock users out of their own accounts, giving the criminal time to place fraudulent orders or create new accounts.

Perhaps even more significantly, bad actors can monetize stolen data on the dark web. This is often a preferred route as the attackers can make a lot of money by reselling access to compromised web accounts on underground marketplaces like the Carder’s Paradise. Experian notes that bad actors can make up to $200 for stolen online payment account credentials, for instance, and they can earn five times as much for compromising an account that contains medical information. Per Trend Micro, these individuals also bundle individual pieces of stolen information together and sell them for a higher price. Either way, reselling this information enables other criminals to perpetrate ATO fraud in the future.

How to Defend Against ATO Fraud

The variability of ATO fraud isn’t the only factor that plays into this threat’s favor. So too does the basic premise of how account takeover fraud works. As explained by Infosec Institute, digital attackers leverage the same credentials employed by a legitimate user to authenticate themselves with an account. This makes it difficult for organizations to determine who’s behind each authentication attempt and whether there’s anything malicious going on.

Even so, ATO fraud isn’t silent. This threat commonly gives off certain indicators that something’s amiss. For instance, an attacker might compromise a user’s workstation through a phishing attack and then access their corporate account in the middle of the night from a foreign country; actions that would be unusual for the legitimate user. These indicators build up over time and give you something to work with in terms of detecting and combating ATO fraud.

Decrease the Risk

And there are other recommended steps to decrease the risk of ATO attacks. First, you can implement multi-factor authentication, robust password security, and endpoint detection and response tools to prevent instances of ATO fraud. Second, you can use network access controls to detect ATO fraud in the form of suspicious authentication attempts. And third, you can employ anti-malware solutions to detect for malicious software dropped by attackers compromising a user’s account. The Paypers offers some additional suggestions, plus recommendations for what to do after an account has been taken over.

Even with these additional precautions in place, when it comes to blocking ATO fraudsters, organizations fare best when they can detect anomalous network and account activity and piece it all together to recognize them as part of a larger attack effort.

Implement a Network Detection and Response Solution

That’s where a network detection and response solution comes in. Lastline uses network traffic analysis (NTA) and malicious behavior analysis technology to spot the early stages of ATO attacks before they evolve into something more, including the preliminary attacks, described earlier. Specifically, it uses AI to model normal user and account activity, and then identify anomalies that could indicate the account has been compromised. For example, users quickly establish patterns for when and from where they access an account, and what they do once they’re in.

Lastline takes it a step farther. Given the company’s understanding of malicious behaviors (which it uses to detect and block malware from being installed in the first place), it can distinguish between anomalous network activity that is malicious and that which is simply anomalous. It then generates high-fidelity insights into threats that are operating inside your network, consolidating alerts into comprehensive incidents that identify all compromised systems and accounts and network activity resulting from the attack, which facilitates complete and speedy remediation.

Learn how Lastline can help you detect ATO attempts and contain malicious behavior in your network.

• About
• Latest Posts

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.

Latest posts by Brian Laing (see all)

• Tracking the Evolution of Organizations’ Email Threat Defenses - September 4, 2019
• How to Take Account Takeover Fraudsters Out to the Curb - August 15, 2019
• Can You Hack My Network? Why Ethical Hacking is Essential for Improving Your Security - July 18, 2019