SEARCH
CONTACT US
LASTLINE BLOG
SCHEDULE A DEMO
Logo Logo Logo Logo Logo
  • Platform
  • Use Cases
    • Your Industry
      • Financial Services
      • Healthcare
      • Telecomm
      • Online Gambling
    • Your Challenge
      • Use MITRE ATT&CK to Improve Security
      • Protect Public Cloud Workloads
      • Accelerate Threat Response
      • Detect Lateral Movement
      • Prevent Intrusions
      • Block Unauthorized Access
      • Prevent Data Exfiltration
      • Secure Any Email System
      • Protect the Internet of Things
      • Block Account Takeover
      • Detecting Advanced Malware
    • Your Role
      • Threat Detection
      • Threat Hunting
      • Incident Response
  • Why Lastline
  • Resources
  • Partnerships
    • Channel Partnerships
    • Technology Alliance Partnerships
    • Strategic Partnerships
    • Partner Portal
  • Labs
    • Labs Blog
    • Labs Research Papers
  • Company
    • Threat Intelligence
    • Mission & Principles
    • Management Team
    • Board & Investors
    • News & Events
      • Media Coverage
      • Press Releases
      • Events
    • Lastline Blog
    • Awards
    • Careers
    • Contact
  • Platform
  • Use Cases
    • Your Industry
      • Financial Services
      • Healthcare
      • Telecomm
      • Online Gambling
    • Your Challenge
      • Use MITRE ATT&CK to Improve Security
      • Protect Public Cloud Workloads
      • Accelerate Threat Response
      • Detect Lateral Movement
      • Prevent Intrusions
      • Block Unauthorized Access
      • Prevent Data Exfiltration
      • Secure Any Email System
      • Protect the Internet of Things
      • Block Account Takeover
      • Detecting Advanced Malware
    • Your Role
      • Threat Detection
      • Threat Hunting
      • Incident Response
  • Why Lastline
  • Resources
  • Partnerships
    • Channel Partnerships
    • Technology Alliance Partnerships
    • Strategic Partnerships
    • Partner Portal
  • Labs
    • Labs Blog
    • Labs Research Papers
  • Company
    • Threat Intelligence
    • Mission & Principles
    • Management Team
    • Board & Investors
    • News & Events
      • Media Coverage
      • Press Releases
      • Events
    • Lastline Blog
    • Awards
    • Careers
    • Contact

How to Take Account Takeover Fraudsters Out to the Curb

How to Take Account Takeover Fraudsters Out to the Curb

Posted by Brian Laing ON AUG 15, 2019
ShareLinkedinTweetReddit

account takeoverDigital criminals resort to ransomware attacks, malvertising, DNS hijacking, and other techniques to prey upon organizations. These techniques commonly vary in prevalence based upon the economic sector. In a survey conducted by the Aite Group, for instance, 89 percent of executives at financial institutions said that account takeover fraud (ATO fraud) is the most common cause of losses in their digital channels. It’s therefore not surprising that 96 percent of eCommerce businesses reported having suffered a fraud attack (according to Merchant Risk Council’s 2019 Global Fraud Survey), with account takeover having placed among the top three types of fraud reported. Nor is it extraordinary that ThreatMatrix observed growth in both the number of and costs associated with ATO fraud attacks in its Cybercrime Report.

Clearly, account takeover fraud is a concern for financial organizations. So how can these businesses adequately protect themselves against this rising mode of fraud? To help organizations in this effort, it’s important to first understand what ATO fraud is, why cyberattackers are drawn to it, and why it is traditionally so hard to detect.

What is ATO Fraud?

According to Chargebacks911, account takeover fraud is a form of identity theft in which a third party obtains access to a user’s online account (i.e. they take over the account). They usually leverage a user’s stolen credentials, data, or personally identifiable information (PII) to gain entry into their victim’s accounts, notes OneSpan. At that point, the third-party abuses their access to masquerade as the legitimate user, customer, or account holder in order to change the account’s details, purchase items, withdraw funds or obtain access to other accounts held by the victimized user.

OneSpan reveals how bad actors can use various preliminary attacks to ultimately commit account takeover fraud. These malicious methods include the following:

  • Data breaches: Before a fraudulent transaction takes place, attackers can lay the groundwork for account takeover fraud by purchasing personal information leaked in a breach. This data might include a user’s personal, account, and financial details. They can then use that information to authenticate themselves with the user’s account.
  • Phishing: Sometimes bad actors don’t have access to a user’s account credentials. In those cases, they use phishing attacks to steal the information they need. All they need to do is craft an attack email and phishing page that both look and sound like legitimate correspondence from a trusted entity.
  • SIM swap attacks: Banks and other web service providers commonly create an option where users can protect their accounts using SMS message-based two-step verification (2SV). In these cases, criminals use social engineering to swap a user’s SIM card and take control over their mobile phone number. They then leverage that access to reset the user’s account credentials and bypass 2SV protection.
  • Malware: Bad actors don’t always need to use social engineering. They also turn to compromised websites and similar sources to distribute malware. These programs commonly employ keyloggers, fake login overlays, and other tricks to steal users’ login credentials.
  • Man-in-the-middle (MitM) attacks (aka Man-in-the-Browser): Digital criminals steal users’ login credentials by injecting themselves into a communication channel between a target and the entity with which they’re attempting to communicate. Bad actors commonly pull off this campaign, known as a MitM attack, by tricking users into connecting to a malicious Wi-Fi network. This allows attackers to intercept all data that the target sends and receives while connected.

Understanding the Draw of Account Takeover Fraud

Cybercriminals are drawn to ATO fraud because there are numerous possibilities for achieving their ultimate goal, extending beyond the act of taking over someone’s account. To start, attackers use stolen information to access a user’s account and change their contact information. Doing so helps lock users out of their own accounts, giving the criminal time to place fraudulent orders or create new accounts.

Perhaps even more significantly, bad actors can monetize stolen data on the dark web. This is often a preferred route as the attackers can make a lot of money by reselling access to compromised web accounts on underground marketplaces like the Carder’s Paradise. Experian notes that bad actors can make up to $200 for stolen online payment account credentials, for instance, and they can earn five times as much for compromising an account that contains medical information. Per Trend Micro, these individuals also bundle individual pieces of stolen information together and sell them for a higher price. Either way, reselling this information enables other criminals to perpetrate ATO fraud in the future.

How to Defend Against ATO Fraud

The variability of ATO fraud isn’t the only factor that plays into this threat’s favor. So too does the basic premise of how account takeover fraud works. As explained by Infosec Institute, digital attackers leverage the same credentials employed by a legitimate user to authenticate themselves with an account. This makes it difficult for organizations to determine who’s behind each authentication attempt and whether there’s anything malicious going on.

Even so, ATO fraud isn’t silent. This threat commonly gives off certain indicators that something’s amiss. For instance, an attacker might compromise a user’s workstation through a phishing attack and then access their corporate account in the middle of the night from a foreign country; actions that would be unusual for the legitimate user. These indicators build up over time and give you something to work with in terms of detecting and combating ATO fraud.

Decrease the Risk

And there are other recommended steps to decrease the risk of ATO attacks. First, you can implement multi-factor authentication, robust password security, and endpoint detection and response tools to prevent instances of ATO fraud. Second, you can use network access controls to detect ATO fraud in the form of suspicious authentication attempts. And third, you can employ anti-malware solutions to detect for malicious software dropped by attackers compromising a user’s account. The Paypers offers some additional suggestions, plus recommendations for what to do after an account has been taken over.

Even with these additional precautions in place, when it comes to blocking ATO fraudsters, organizations fare best when they can detect anomalous network and account activity and piece it all together to recognize them as part of a larger attack effort.

Implement a Network Detection and Response Solution

That’s where a network detection and response solution comes in. Lastline uses network traffic analysis (NTA) and malicious behavior analysis technology to spot the early stages of ATO attacks before they evolve into something more, including the preliminary attacks, described earlier. Specifically, it uses AI to model normal user and account activity, and then identify anomalies that could indicate the account has been compromised. For example, users quickly establish patterns for when and from where they access an account, and what they do once they’re in.

Lastline takes it a step farther. Given the company’s understanding of malicious behaviors (which it uses to detect and block malware from being installed in the first place), it can distinguish between anomalous network activity that is malicious and that which is simply anomalous. It then generates high-fidelity insights into threats that are operating inside your network, consolidating alerts into comprehensive incidents that identify all compromised systems and accounts and network activity resulting from the attack, which facilitates complete and speedy remediation.

Learn how Lastline can help you detect ATO attempts and contain malicious behavior in your network.

  • About
  • Latest Posts
Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing

Latest posts by Brian Laing (see all)

  • Tracking the Evolution of Organizations’ Email Threat Defenses - September 4, 2019
  • How to Take Account Takeover Fraudsters Out to the Curb - August 15, 2019
  • Can You Hack My Network? Why Ethical Hacking is Essential for Improving Your Security - July 18, 2019
ShareLinkedinTweetReddit
Tags:
account takeover fraud, Brian Laing, Multi-factor authentication, network detection and response, Personally identifiable information, SIM swap attack, two-step verification


LATEST PRESS RELEASES
  • Lastline Boosts SOC Efficiency by 100%, Effectively Doubling Productivity of SOC Teams
    21 May, 2020
MEDIA MENTIONS
  • Coronavirus-Themed Phishing Fears Largely Overblown, Researchers Say
    20 May, 2020
FROM THE BLOG
  • Lastline to be Acquired by VMware
    04 June, 2020
© 2021 Lastline Inc. All Rights Reserved
Support | Customer Login | Privacy Policy | Your California Privacy | Policies
This website uses cookies for website analytics purposes. For more information on how this website uses cookies, please visit our Privacy Policy. I ACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

This is an necessary category.

Non Necessary

This is an non-necessary category.

Save & Accept