How Fraudsters Launch ATO Fraud Attacks, How They Monetize Them, And How to Make Them Stop
Recently I hosted a masterclass on account takeover attacks during the Arkose Labs Virtual Panel Series. That masterclass was the session that kicked off the whole panel series, which was apropos because ATO fraud is one of the fastest-growing issues in the fraud landscape and something that affects all businesses. Account takeover attacks are rising in both frequency and severity, and the reason for that is they are generally profitable for attackers. Fraudsters, like anyone else, get up each day and go to work to make a living. They don’t do this for fun. They do this because it is profitable. The way to stop ATO Fraud — and indeed all fraud — is to make it unprofitable for attackers.
A Rising Tsunami
ATO Fraud continues to increase in frequency and severity. The Arkose Labs Network detected a 50% increase in ATOs over the 2nd half of 2020 as compared to the first half. And these numbers continue to trend up into 2021. Nearly two-thirds of the attacks we see on the Arkose Global Network are at the login point.
One reason for this is that ATO fraud attacks are a good entry point for the enterprising person looking to start a career in fraud. Years of massive data breaches have made it easy to acquire combo lists of usernames and passwords. The tools to launch ATO attacks at scale are readily available and there are even YouTube tutorials on how to run them. There is no need to write code or create your own infrastructure.
A person could start simply, for example, in gaming – using ATOs to gain valuable digital goods and items other players possess. Or to redeem loyalty points from a travel website. They can later move on to attacking more high-value accounts, such as bank accounts. The basics of launching attacks are pretty much the same regardless of what industry they are targeting.
How Fraudsters Target Attacks Across Industry
Financial Services/Fintech – These are typically the most valuable accounts for fraudsters to target, since they not only can directly drain funds from them, but they also contain sensitive information like social security numbers, addresses, and more. Since financial accounts are so valuable they are usually highly protected and have an additional layer of security such as 2FA. Fraudsters get around this by using tactics such as SIM swaps (we’ll get more into this later). They also use phishing campaigns; typically sending emails that look like they are from a bank, asking the recipient to click on a malicious link and log into their account to confirm their identity. The login page is actually fake and instead provides the fraudster with that user’s information.
Gaming – Gaming accounts are generally much less valuable than financial ones but also much easier to hack into, as they are less protected. Fraudsters run credential stuffing attacks at scale to break into these accounts. Attackers hack into accounts to steal digital goods and items to resell to other gamers on gray market forums; this is known as real money trading. They also use these compromised accounts to use cheats or hacks to gain advantages in-game. Typically when gaming platforms notice this they ban the offending account, but the fraudster can keep doing this over and over again with newly compromised accounts.
Travel: With travel sites, fraudsters are generally going for loyalty points. They can look and see if there is a stored payment mechanism in the account and use that, but mostly they are looking to use loyalty points to buy hotels, airfare, car rentals, and cruises. They may book these for personal use but more often they do it to then resell on a third-party platform.
Social Media: This is an interesting area because there is no direct dollar value from social media accounts. They don’t contain financial information or any other sort of PII. Fraudsters instead use these accounts for other reasons, such as to send spam and phishing messages to real users on the platform, to spread disinformation, or to artificially “like” other accounts they may be associated with. In some cases, fraudsters can also resell valuable accounts, such as those with only a few characters or unique names, because they are rare.
Streaming Services: Since there is not a massive amount of money to be made on streaming accounts, here fraudsters’ goal is to launch credential stuffing attacks against streaming services at scale to gain access to as many accounts as possible and resell access to others. So if a person is paying $15/month and their account gets hacked, the fraudster might sell access to that account to any number of people for one-time fee of a few dollars each.
The Fraud Ecosystem That Powers ATO Fraud
Fraudsters are able to launch these attacks profitably because of the broad and interconnected ecosystem they can tap into. There is no need for them to create any tool themselves; everything you need to launch ATO Fraud is available off-the-shelf in various places on the Dark Web as well as the surface internet.
Proxy IPs are readily available, and enterprise plans allow fraudsters to buy hundreds of thousands for an economical price. Combo lists can be acquired cheaply on forums where fraudsters congregate, or simply taken from sites like Pastebin. If they need more compute power to launch massive attacks at scale, that is readily available as well. They can buy SaaS software to load combo lists and launch attacks at scale with ease. Many of these come in premium tiers that also feature customer support.
With the economics of the fraud ecosystem behind them, it’s not uncommon for a fraudster to make their entire monthly budget in one good day.
And despite the advancements made in fighting fraud, attackers are still able to easily overcome some of the most common defenses. Here are some examples
MFA – While enabling MFA provides a sturdier level of security than simply relying on usernames and passwords, fraudsters can still work around it. One way is using a method known as SIM swapping. This is where a fraudster contacts a wireless carrier, convinces the call center rep that they are the real owner of a phone number and convinces the call center rep to switch the SIM card linked to the real user’s phone number to one in their possession. The fraudster can then receive any SMS code or token used for MFA. They can successfully convince wireless carriers to do this by utilizing personal information from data breaches or simply through social engineering from publicly available information.
Fraudsters also use phishing or vishing tactics to bypass MFA. For example, they may call a target pretending to be from their bank and tell them their account has been compromised and that they need the MFA code that was just texted to them to verify their identity. The fraudsters — who already had the username and password combination — now in possession of the code can go in and access the account.
Due to the extra steps and time spent in bypassing MFA, these tactics are usually reserved for high-value accounts, such as financial accounts. Fraudsters typically won’t go to these lengths for lower value accounts, such as in gaming or travel, instead, relying on brute force credential stuffing.
Biometrics – Biometrics have become one of the tools businesses rely upon to protect their digital platforms from fraud. Biometrics can indeed be helpful in many ways, such as detecting if a user is logging in from a location much different than normal.
Fraudsters, however, have ways around biometric detection as well. Just as technology has evolved to help fraud detection, it’s also evolved to benefit the bad guys. There are numerous marketplaces fraudsters can utilize that allow them to purchase not only valid username and password combinations, but ones that also come paired with the proper device fingerprints associated with those credentials as well as a proxy IP, so they appear as a real user coming to a website. These platforms are about to acquire and bundle this information through malware that was successfully installed on real user devices, by phishing, or other means.
This makes it extremely difficult for biometrics to detect fraud; after all the fraudster logging in to a website appears to be using the right credentials from the device the user normally has and from the right location.
How to Truly and Effectively Stop ATO Fraud Attacks
It might seem a thankless task to stop ATO fraud, given the tools fraudsters have at their disposal. But there is one surefire way to ensure these attacks stop, or at least that they don’t target your business. And that’s eliminating the economic incentive behind fraud attacks.
To do this, you need to focus on what fraudsters are after rather than just implementing tools and technology to block them. Work backward to figure out how they get money out of your platform and how to make that more difficult. It could be by making it more costly to buy proxies by utilizing robust IP intelligence. Or device fingerprint forcing them to invest in more software. You can trigger additional step-up measures for suspicious traffic. It’s important to not just rely on passive signals, as fraudsters can not only get around those, but it also can lead to false positives.
By making the ratio unbalanced on how much time and money fraudsters have to spend on attacks versus what they get out of them, ultimately they will move on and do something else. That’s the most effective way to stop fraud.