Account takeover (ATO) fraud is now the “new normal” in the world of online commerce. The cost of ATO fraud has tripled in recent years, , and consumers have paid an average of $290 and spent between 15-16 hours resolving problems caused by a single attack.
Industries most at risk for ATO are: Retail and eCommerce, video streaming services, social media and entertainment, financial services, healthcare, and higher education. It is also a growing threat to online gaming and gambling platforms, both of which have an increasing volume of mobile traffic. With more and more mobile-online businesses and the move from brick-and-mortar to online stores, it is no wonder that the amount of mobile based account takeover attacks rose sharply in 2018, to 679 thousand attacks, almost 300 thousand more than in 2017.
In this article, we offer a glimpse into the motives and methods of fraudsters who commit account takeover attacks, and explain how understanding them can help you stop them.
Profiling an ATO Fraudster
Contrary to popular belief, there is no one specific profile or description that can be used to represent the typical fraudster who executes account takeover:
- They vary in ages from teens all the way to middle-aged
- They originate from first, second and third world countries
- Many work alone whilst others work in ‘fraud rings’
- Some choose to work entirely online and others are charismatic con-artists who charm information out of victims in real life, by posing as legitimate service providers, then use that information to access accounts
An interesting pattern has emerged that separates attacks based on country of origin. Cloud-based email takeover attacks tend to originate mostly from Nigeria or China, while others, such as Instagram account takeovers originate from Russia.
It is somewhat daunting that these fraudsters seem to function like any legitimate professional. They plan carefully, and areefficient and tenacious. They find and specialize in a successful attack method, using it over and over again until it fails them. Sometimes a fraudster will spend months gathering the data necessary for a single takeover.
Despite this growing sophistication, analysts and experts are finding ways to use behavioral patterns such as those described above to detect and prevent account takeover. And while this may seem overwhelming, it is important to realize that over80% of account takeovers are perpetuated by less than 10% of fraudsters attacking a site.
The Risks & Rewards of Account Takeover
According to the 2018 HackerOne Report, financial gain is only the fourth most salient motive for fraudsters. “Being challenged”, “learning new tips and techniques”, and “to have fun” (a popular practice which was dubbed “electronic joyriding” over 25 years ago) are all the more important. Fraudsters, like all business owners, need to advertise, so sometimes fraudsters infiltrate an account to gain prestige and record the accomplishment on their wall.
Their motives can be discerned partially from the type of account being infiltrated: the level of risk a fraudster is willing to take will be commensurate with the financial or prestige to be gained from the infiltration.
“Low Value” Accounts
Most social media accounts are “low value” since they don’t grant access to money, goods or services. They are infiltrated for fun, for practice, to use for pushing products and political agendas, and to disseminate false information. In addition, these accounts contain a wealth of personal information and may be infiltrated to gain information about a person, for blackmail, or to access other accounts with identical user credentials.
A recent data breach exposed names, birthdates and emails of hundreds of thousands of students. Although “low value” in terms of access to money, goods and services, the information in these accounts allow fraudsters to collect and share information on victims, with the potential to cause continuing, long-term damage.
“High Value” Accounts
Accounts which are connected to money, goods, or services that can be used to make fraudulent purchases are considered “high value”. User accounts for online gambling platforms which, once infiltrated, allow fraudsters to gamble and rack up debts on someone else’s name, or take winnings for themselves are also included in this category.
Recently, some social media accounts have moved into the “high value” category. Social networking platforms, such as Facebook tried introducing P2P payment services. The social networking giant is also set to launch its own cryptocurrency in early 2020.These accounts are especially vulnerable, as social media security checks are relatively rudimentary, so much so that the SEC recently issued guidelines for securing social media accounts. Facebook’s P2P payment security had been criticized by experts as being insufficient and it was recently announced that they’re discontinuing messenger payments in the UK and France.
“Highest Value” Accounts
“Highest value” accounts can be used to validate other accounts. Many consumers use email to validate or access credit cards, banks, and store accounts, so the takeover of an email account is a potential goldmine for a fraudster. Many fraudsters won’t take the risk of using these accounts themselves, but prefer to sell the stolen information on the dark web.
The Stages of Account Takeover: Risks vs Potential Gains
There are four main stages of account takeover: Acquiring Credentials, Acquiring Tools, Validating Credentials, and Using Validated Credentials.
Success depends not only on the technical knowledge and skill of the fraudster, but also on the quality of the credentials and tools used.
Stage 1: Acquiring Combo and Proxy Lists
Obtaining combo and proxy lists is a crucial first step and obtaining them involves little effort: they are mostly cheap and sometimes often offered free on open forums or the grey web (here are links to free combo & proxy lists). More expensive ‘good’ lists that contain valuable information like victims’ private IP addresses are also available. These sites are rarely monitored by law enforcement making them very low risk.
The dark web is less accessible: highly capable, experienced fraudsters will choose this as their playground. Reputation is much more valuable in this environment which leads to higher quality lists being offered.
Stage 2: Acquiring Tools
Acquiring tools to validate credentials also involves minimal risk and effort. Both tutorials and tools for cracking credentials (the STORM tool, for example) can be found online, in many cases for free, for use by anyone with the technical skills and know-how.
A more experienced and sophisticated fraudster might prefer to write their own “validation bot” for cracking. A reliable bot can also be leased or sold, to increase profit and enhance reputation.
Stage 3: Validating Credentials
Only some of the accounts contain usable data, and only some of that data has value. By using validation tools and hiding behind proxies, the fraudster extracts the valuable information needed. Risk is still low, and potential gains (in both money and reputation) are determined by the quality and quantity of validated credentials. What makes this a more attractive stage for fraudsters is because up until the point, no illegal activity has actually taken place.
Stage 4: Monetizing Validated Credentials
Despite the potential profit gains at this stage of account takeover, the risk is also relative. Instead of using validated credentials for personal use, they can be sold on. Prices depend on the type and quality of the information, credentials containing credit card details are more valuable than dedicated retail accounts.
‘Fun’ Fact: When fraudsters sell high quality accounts they get “vouches” on their profiles, which further boosts business and reputation.
Find, Fight and Stop Account Takeover Fraudsters
Not all fraudsters are created equally. Yet it is clear that the trend of account takeovers is a force to be reckoned with. Fraudsters who perpetrate these attacks are professional, savvy and tenacious businessmen. They carefully weigh risks against potential gains, and are motivated for a variety of incentives. Unchecked, they can cause huge amounts of damage to consumers and business owners alike.
Fortunately, there are ways to get ahead of account takeover attacks. Understanding what motivates fraudsters, how they think and how they operate is key to catching them. Fraud analysts and experts can analyze user behaviors and interactions to extract insights that help differentiate between fraudsters and legitimate users and block the attacks before any damage is done.