What is Account Takeover

Account takeover (ATO) is a form of identity theft in which a criminal obtains access to a user’s online account (i.e. they take over the account). They usually use the account holder’sown credentials, data, or personally identifiable information to gain entry into their victim’s accounts.

Then the attacker masquerades as the legitimate user, customer, or account holder in order to change the account’s details, purchase items, withdraw funds, or obtain access to other accounts.They often start by changing contact information, the password, or other information to lock the legitimate user out, giving the criminal time to benefit from their illegitimate access. Attackers also can monetize stolen account credentials by offering them for sale on the dark web. This is often a preferred route as the attackers can make a lot of money quickly, plus it enables other criminals to perpetrate ATO fraud in the future.

Bad actors use various techniques to acquire the credentials needed to take over an account. These include data breaches, phishing, SIM swap attacks (using social engineering to swap a user’s SIM card and take over control of their phone), malware, social engineering, and Man-in-the-middle (MitM) attacks (aka Man-in-the-Browser).

How to Defend Against ATO Fraud

What makes account takeover particularly difficult to detect is that the attackers use the same credentials employed by the legitimate user to authenticate themselves. This makes it difficult for organizations to determine who’s behind each authentication attempt and whether there’s anything malicious going on.

Even so, ATO fraud attacks aren’t silent. They typically give off indicators that something’s amiss, such as when and from where an account is being accessed. These indicators build up over time and providethe clues needed to detect ATO activity.

First Steps to Decrease the Risk

Some initial, basic steps to decrease the risk of ATO attacks include:

  • Implement multi-factor authentication, robust password security, and endpoint detection and response tools
  • Use network access controls to detect suspicious authentication attempts
  • Employ malware detection solutions to identify malicious software dropped by attackers to compromise a user’s account

Even with these precautions in place, when it comes to blocking ATO, organizations fare best when they can detect the anomalous network and account activity that inevitably takes place after an account has been compromised

Complete the Picture with Network Detection and Response

Lastline uses network traffic analysis (NTA) and malicious behavior analysis technology to spot the early stages of ATO attacks before they evolve into something more. Specifically, it uses AI to model normal user and account activity, and then identify anomalies that could indicate the account has been compromised. For example, users quickly establish patterns for when and from where they access an account, and what they do once they’re in.

Lastline takes it a step farther. Given the company’s understanding of malicious behaviors (which it uses to detect and block malware from being installed in the first place), it can distinguish between anomalous network activity that is malicious and that which is anomalous but benign. It then generates high-fidelity insights into threats that are operating inside your network, consolidating alerts into comprehensive incidents that identify all compromised systems and accounts, and network activity resulting from the attack. Our detailed detection and analysis enable response teams to remediate the attack quickly and completely.

Learn more about account takeover by reading our blog post on the topic.