Greater consumer reliance on digital channels for practically every life activity has opened up a horizon of opportunities for attackers to target consumer accounts through account takeover attacks. ATO attacks hold high monetization potential. As a result, they are hugely popular amongst attackers. They can sell the compromised accounts to third parties, drain the assets contained therein, or use the accounts for a plethora of criminal activities such as opening lines of credit, money laundering, disseminating spam, and launching phishing campaigns, among others.
An ATO attack starts with data spillage, such as through a data breach. The breached data is then put up on public forums and the dark web for sale, where attackers can buy it rather cheaply. They can then replay the stolen credentials – through credential stuffing or password spraying – against multiple targets to obtain a refined list of accounts that are valid across several websites. The attackers may choose to sell the refined databases on the dark web at a higher cost or use them for account takeover attacks themselves, using a specific method of monetization depending on the website they target.
Attacking a poorly protected vs a well-protected website
Bad actors are in the business of cybercrime to make money for a living. It’s logical that their returns exceed their investments in the attacks—great enough to sustain their lifestyles. However, the ROI of an attack largely depends on how well a website is protected. For instance, an attacker can easily exploit a website that has poor or no protection. The attacker won’t even need special technical skills or investment to create an attack infrastructure.
On the other hand, when attacking a website with defenses like a Web Application Firewall (WAF), bot management solution, or challenge-response authentication, an attacker will not only incur a higher cost due to greater investments to pull together an attack infrastructure, but also the need to bring to bear strong technical skills.
What is a well-protected site?
A site is considered well-protected when it has web security products employed to assess the traffic before granting access to a resource. For instance, a WAF can help detect and mitigate application layer attacks like cross-site scripting, SQL injection, and DDoS attacks. That said, WAF products may not be effective enough against more complex and persistent credential stuffing attacks.
Instead, businesses must consider bot management or advanced bot detection products for more robust defenses against ATO attempts. These purpose-built web security products leverage the latest technologies and techniques such as device intelligence, IP intelligence, and behavioral biometric detection to offer more advanced detection. By combining user behavior anomaly detection methods with advanced response strategies that are designed to detect non-legitimate traffic, these solutions can help supplement fraud prevention efforts.
Bot management solutions help businesses ensure only legitimate consumers are given access to critical resources, such as the login endpoint. To enhance the security of their websites, some businesses have made significant investments in deploying an uber fraud detection layer that combines signals from multiple web security products for the most efficient and accurate defense-in-depth strategy.
How a well-protected site helps deter account takeover attacks
In the absence of adequate defense mechanisms, attackers can engage in credential stuffing attacks at will. They may only need to deploy a simple botnet with a limited number of nodes using a common off-the-shelf attack tool like Sentry MBA or OpenBullet. The only concern for the bad actor while attacking a poorly protected site is to avoid overwhelming the target website, as denial of service may only increase the time needed to verify a large set of credentials.
Furthermore, to avoid detection, an attacker will need to craft a more sophisticated attack strategy, which means the bad actor will need to:
- Spread the traffic through a large number of nodes, say a botnet consisting of over 10,000 nodes spanning several continents.
- Ensure that the traffic appears to be emanating from residential and mobile ISP since traffic coming from data centers is generally considered more suspicious.
- Ensure that the traffic mimics legitimate traffic as much as possible. For example, following the same workflow that a genuine consumer would generally follow.
- Avoid detection by sending the expected data with some variety in the fingerprint while guaranteeing the fingerprint is valid. This is important as most bot or attack detection products usually collect a fingerprint client-side consisting of device and browser characteristics and user preferences, which they evaluate to differentiate between bots and humans or to identify devices uniquely.
- Resubmit the failed attempts as the defense solution will successfully detect, block, or challenge the majority of the attack traffic.
A protected website also introduces an element of uncertainty for attackers. When security teams frequently update the software running on the botnet, attackers are forced to adjust the attack strategy to be able to defeat the defenses. They may have to spend days or weeks testing and developing a workaround, and abandon the attack when they can’t find a solution.
Cost of attacking a well-protected site
Having robust security mechanisms in place forces attackers to invest in additional resources to launch attacks and evade detection. The cost of a successful attack would depend on the level of protection a website has. For instance, an attacker only needs to spend around $50 a month for a basic shared data center-hosted proxy service that can defeat the rate limiting in place for a website protected with a WAF solution. The annual cost of attacking such a single website would be around $600.
The cost of an attack increases when a website is protected with an advanced bot management solution. This is because basic proxy services no longer suffice, and the attacker will need to deploy a more costly proxy service to leverage mobile and residential ISP IP addresses. The attacker will now need to spend around $700 per month on this type of proxy service to be able to load-balance the traffic through over 100,000 IP addresses. And that is not all. The attacker will need to host the command-and-control center in the cloud, which will mean an additional spend of $50 or so per month on compute and storage for a single server per site attacked. For every additional website the attacker targets, the cost increases by $50 a month. The annual cost of attacking a single website in this case would be about $9,000.
Arkose Labs significantly increases the cost of account takeover attacks with its smart bot management solution, Arkose Bot Manager. Attackers will need to spend double the hosting cost (about $100 per month) per site they attack to manage the more complex workflow of solving the challenges that Arkose Bot Manager offers. They will also need to integrate the botnet with a CAPTCHA-solving service, which costs about $2.12 per 1,000 requests. With limited bandwidth, attackers will need to spend significantly more time to complete the credential stuffing attack, making the attack more noticeable and affording application security teams enough opportunities to mitigate it. In the process, they will also increase the number of retries necessary. For calculation’s sake, considering that the CAPTCHA solving service takes four tries for every successful validation, a million credentials would need four million requests to validate, costing about $8,480. The total annual cost of attacking a single website protected by Arkose Bot Manager doubles to more than $18,000.
The cost difference—between a website protected with Arkose Bot Manager vis-à-vis one that is not—becomes even more pronounced with the increase in the number of websites attacked.
Effective bot management solutions increase costs of an ATO attack
Any attempt to bypass Arkose Bot Manager raises the cost of an ATO attack and erodes the ROI significantly. This depletion of returns is due to the attacker’s inability to complete the attack quickly.
Arkose Bot Manager blocks or challenges all malicious traffic and increases the time, effort, and resources needed to continue with the attack, which also tests the patience of the attacker. To complete the attack quickly, attackers may resort to sending their requests at a higher velocity, which makes the attack even more visible to the security teams. Either way, attackers are forced to give up on the attack or move on to an unprotected target.
To gain more insights into how a well-protected website is an effective deterrent for account takeover attacks, request your copy of the research paper ‘The Economics of Account Takeover Attacks’ now.