Account Takeover Fraud: What It Is And How To Stop it

What Is Account Takeover Fraud?

Account takeover fraud is when cybercriminals use stolen credentials to take control of genuine user accounts. In this identity-based attack, bad actors use these credentials as a launchpad for a variety of crimes like taking over customer bank accounts, redirecting shipments, laundering money, stealing rewards points, reselling subscription information, and more.

Many cybercriminals begin their careers with ATO attacks due to a low barrier to entry. Multiple tools are available to execute the attacks at scale with little to no cost, and there are even YouTube tutorials showing how to run them. If attackers need more computing power to launch massive attacks at scale, they can easily buy it. They can also acquire software to load combo lists, and many of these software solutions come in premium tiers that also feature dedicated customer support.

Additionally, account takeover fraud is popular because the process to execute it is the same amongst various industries. All an attacker needs to do is identify valid, stolen credentials–and then use those credentials to access an account.

ATO fraud has grown significantly across all industries, and it does not appear to be slowing. A majority of the attacks detected on the Arkose Global Network are at the login point.

Here, we dive deep into the latest account takeover fraud and abuse data to look at how ATO fraud has grown, how the modern cybercriminal is executing ATO attacks, and solutions you can implement to detect and prevent these attacks.

The Incredible Growth of Account Takeover Fraud

Years of massive data breaches have made it easy for attackers to acquire combo lists of usernames and passwords. As a result, account takeover attacks are on the rise. Cybersecurity company Okta reported over 10 billion credential stuffing attacks on its platform in the first 90 days of 2022 alone⁴.

This is likely due to an increase in the availability of quality, inexpensive username-password combinations and a host of other personally identifiable information (PII) such as. For example, the popular site Have I Been Pwned reports over 12.5 billion breached accounts from nearly 700 different websites⁵. Additionally, one estimate finds that an average American has 27 online accounts, and the actual number could be higher⁶. That means there will never be a shortage of targets for ATO attacks. This enables many cybercriminals, even those with little technical knowledge, to easily launch bot attacks at scale.

Types of Account Takeover Fraud Attack

Credential Stuffing

Credential stuffing is a cyberattack where automated tools exploit reused login credentials to access user accounts. Attackers leverage stolen username and password pairs, trying them on multiple websites to compromise additional accounts due to users' habit of reusing credentials.

Phishing and Email Exploitation

Phishing is a cyberattack where criminals deceive users into disclosing sensitive information through fraudulent communications. Mimicking legitimate sources, these scams exploit trust to steal money, data, or identities. They appear authentic, making detection challenging across emails, texts, or websites.

Mass Fake Accounts

Mass fake accounts are numerous online accounts crafted by malicious actors for deceptive ends. Manual creation is laborious and yields few results, so attackers automate the process with bots, generating thousands swiftly. These accounts serve to spread misinformation, engage in spamming, phishing, manipulate discussions, or conduct cyberattacks.

Scraping

Malicious scraping involves bot-driven attacks that extract substantial data from websites and apps. While web scraping can be legitimate, malicious scraping violates permissions and terms of service. The harvested data fuels criminal activities like fake account registration, fake reviews, and inventory hoarding.

How Cyber Thieves Profit from Successful Account Takeover Fraud

ATO attacks are also popular among black-hat hackers because of the wide range of downstream attacks made possible by the compromised accounts. The most common use for ATO attacks are to steal payment credentials or other valuable account information from the account itself.

Additionally, compromised accounts can be used for money laundering and other criminal activities. Using the PII derived from taken-over accounts, such as a user's phone number, email address, or social security number, attackers can apply for loans or commit credit card fraud. Further, compromised accounts can be used for spam or phishing scams, which may be more successful coming from a "real" account.

Draining funds and assets from a compromised account is only the first step of an ATO attack. Cybercriminals can also exploit these accounts to make fraudulent payments. They can redeem the loyalty points in the account and even use the compromised account to launder money.

However, the motivation for account takeover fraud is not limited to financial abuse. Digital criminals also exploit the accounts under their control for sinister crimes–such as drug- and human-trafficking–that can have far-reaching consequences for society.

Account takeover attacks can be very costly. According to a poll of 100 IT executives commissioned by Arkose Labs, a majority responded that ATO attacks can cost anywhere from $50 to more than $200 per incident. When measured in the thousands, this can be a huge monetary drain for businesses.

How Bad Actors Target Attacks Across Industry

Financial Services/Fintech accounts are prime targets for cybercriminals, due to their high value and sensitive information. Despite additional security measures like two-factor authentication (2FA), attackers employ tactics like SMS toll fraud and phishing campaigns. These campaigns mimic legitimate emails, tricking financial institution users into providing their login information on fake login pages.

Gaming accounts are frequently targeted by cybercriminals due to their relative ease of hacking compared to financial accounts. Credential stuffing attacks are commonly used to gain unauthorized access. Attackers steal digital goods for resale in real money trading and exploit compromised accounts to cheat or gain advantages in games. The cycle continues as platforms ban accounts, prompting attackers to repeat the process with new compromises.

In travel attacks, cybercriminals primarily target loyalty points. While they may exploit stored payment methods, their main goal is to utilize loyalty points for purchasing accommodations, flights, rentals, and cruises. Often, they resell these items on third-party platforms, occasionally using them for personal purposes as well.

Social media accounts may lack direct monetary value, but they are exploited by malicious actors for various purposes. These include spamming and phishing attempts, spreading disinformation, and artificially boosting associated accounts through likes. Valuable accounts, with unique names or few characters, can be resold due to their rarity.

With streaming services, attackers aim to conduct large-scale credential stuffing attacks to gain access to numerous accounts. While there isn't much money directly associated with streaming accounts, cybercriminals can sell access to compromised accounts to multiple individuals for a one-time fee, even if the original account holder pays a monthly subscription fee.

What Are the Steps of Account Takeover (ATO) Fraud?

RECOMMENDED RESOURCE

8 Trends Fueling Account Takeover Attacks on Banks

ACCESS

A successful ATO attack always consists of three major steps, and often an entire community is involved in the process.

Step 1. Credential Harvesting

Stealing and harvesting credentials is a labor-intensive and technically demanding process. Attackers employ phishing, malware, social engineering, and database vulnerabilities to obtain credentials. The stolen data is lucratively sold on the public or dark internet, often repeatedly, until its value diminishes over time.

Step 2. Account Validation

The next phase involves checking stolen credentials, often using botnets for efficiency and scalability. Bot services and tutorials are readily available, making it accessible even for non-experts. Attackers enter stolen credentials, configure proxies, and define the target website. More advanced attackers may create their own botnets to bypass fraud detection and fraud prevention systems. The verified credentials are then sold to a third party on the dark web, with values varying based on the potential return on investment. High-value targets include banking or eCommerce sites with lucrative customer reward programs.

Step 3. What is Account Takeover

The final step in this chain is the attacker, who buys these lists. The lists are usually sold in bundles, as there is no guarantee that any given individual account will be valuable. For instance, a dormant account (where the account owner doesn't actively use the site), will only yield the owner's personal data. However, some other accounts may turn out to be a treasure trove for the attacker.

Cyber perpetrators will use automated methods to fill in login forms en masse with validated credentials; leverage low-cost human "sweatshop" resources to launch ATO attacks in a way that evades anti-automation defenses, or for very high-value targets manually complete the ATO attack themselves.

Automating ATOs with Credential Stuffing

Credential stuffing is a subset of account takeover fraud, where bots are deployed to constantly try different username/password combos at scale until a match is found. With the ready availability of this information for purchase by bad actors–due to years of personal information being exposed from data breaches–credential stuffing plays a key role in carrying out ATO attacks.

From the same video as earlier, here's an example of how quickly and easily an attacker can execute an automated credential stuffing attack:

Credential stuffing is a vital part of carrying out successful attacks. Malware authors will often use automated scripts to power credential stuffing. But they also utilize human sweatshops to launch these attacks so as to evade defenses that specifically look for signs of automation, or even conduct the attacks themselves for very high-value accounts.

Once credential stuffing is used to compromise an account, the attacker then has a wide range of options, from simply stealing money or information from the account, using it for downstream activities such as sending phishing or spam messages, laundering stolen money, or reselling the successfully validated credentials as a list on their own right.

Stop the Bots with Account Takeover Detection Prevention Solutions

Account takeover fraud is challenging to detect and stop. Attackers have studied the defense mechanisms that businesses deploy and have devised innovative ways to circumvent them.

• Risk scores: Many digital businesses rely almost entirely on data-driven solutions to assign risk scores and create rules to verify digital identities. However, with massive amounts of personal data being bought and sold, digital identities have been compromised at scale, leaving fraud intelligence data feeds with a significant level of ambiguity. To overcome limitations, businesses should deploy multiple solutions and threat scores. However, this results in complex tech stacks and alert overload, which is difficult to action.
• Multi-factor authentication: The aim of multi-factor authentication (MFA) is to create barriers for black-hat hackers. However, despite its noble aim, out-of-band authentication ends up introducing unnecessary friction for good users. Further, bad actors have devised ways to intercept SMS messages, and solutions that are paid for on a per-token model become very expensive.
• CAPTCHA: Available for free for many basic offerings, CAPTCHAs are designed to distinguish between humans and machines. However, with automatic solvers mushrooming, traditional CAPTCHAs are near-redundant as they allow bots to easily bypass them at scale. They also provide a sub-par user experience and fail to address human-driven and hybrid attacks.
• Manual review: Reviewing every user manually is an onerous task, which not only needs spending exorbitant amounts of effort but also slows down the process and increases the risk of human biases creeping in.

Account Takeover Protection with Arkose Labs

Businesses must rethink their attack prevention approach and adopt a strategy that provides them with long-term account takeover protection against evolving cybercrime while accelerating the consumer journey.

That's why the Arkose Bot Manager uses data-driven, real-time fraud intelligence, which is paired with secondary screening of risky traffic so businesses can reliably address ambiguity. It uses well-established machine learning algorithms to help predict traffic patterns, and real-time risk assessments further classify traffic based on probable intent and inform the system whether additional authentication is required.

Rather than outright blocking traffic and negatively impacting the user experience, the Arkose Labs approach is to use targeted friction, which is reserved purely for high-risk traffic.
The Arkose MatchKey challenge-response mechanism is the strongest CAPTCHA ever made and is a state-of-the-art series of challenges with industry-leading security. While the vast majority of good users can pass unchallenged, those who do experience a challenge can see that steps are being taken to protect their accounts without degrading their experience.

Arkose Labs' custom enforcement challenges are context-based, adaptive visual challenges that stop both automated and human-driven account takeover attempts. These custom visual challenges are designed to specifically thwart machine vision software, causing bots and automated solvers to fail. Additionally, the use of incrementally more complex challenges wear human cybercriminals down, sap their resources and compel them to abandon attacks.

Learn more about Arkose Labs Account Takeover Protection and Credential Stuffing Prevention solutions.