Account Takeover Fraud: Detection and Prevention

Account Takeover Fraud: Detection and Prevention

FACT: Account Takeover attacks have jumped 354% over the last year (Sift).

BEC fraud, which is only one type of account takeover fraud, has caused USD 50 billion in losses, according to the FBI.

According to Verizon, 86% of all data breaches involve stolen credentials.

These statistics underscore the growing threat that account takeover fraud poses to all organizations.

In this post, we’ll cover everything you need to know about account takeover attacks and how to prevent them.

Table of contents:

What is Account Takeover Fraud?

Account takeover (ATO) fraud is a form of identity theft where a bad actor gains unauthorized access to a victim’s online account, such as a bank account, email address, or social media profile. The typical methods used for ATO fraud include compromised credentials, phishing, malware attacks, and exploiting security vulnerabilities.

How does an account takeover happen?

ATO attacks typically happen through the following steps:

  1. Acquisition of Credentials: The attacker obtains the victim’s login credentials through methods like stealer logs, third-party breaches, darknet markets, initial access brokers, social engineering, or credential stuffing.
  2. Initial Access: Using the obtained credentials, the attacker gains unauthorized access to the victim’s account.
  3. Account Control: The attacker may change the account’s password, security questions, or associated email addresses to lock the legitimate user out and maintain control.
  4. Exploitation: The attacker exploits the account for malicious purposes, such as financial theft, data breach, spreading malware, or identity theft.
  5. Detection and Response: The victim or the service provider eventually detects the unauthorized activity, leading to an investigation and response measures to regain control of the account and mitigate the damage.

How are credentials stolen?

The easiest way for cybercriminals to gain unauthorized access to their target is with valid credentials. Credentials are stolen in a number of ways, including:

  • Stealer Malware: This type of malware is specifically designed to extract sensitive information from infected devices, including login credentials, browser cookies, and autofill data.
  • Data Breaches: Credentials are stolen from compromised databases during a data breach and often sold on the dark web.
  • Credential Stuffing: Attackers use automated tools to try previously breached username and password combinations on multiple websites, exploiting users who reuse passwords across different accounts.
  • Initial Access Brokers: These are cybercriminals who specialize in breaching systems and then selling the access to other attackers, often including stolen credentials as part of the package.
  • Social Engineering: This involves manipulating individuals into divulging confidential information, such as login credentials, often through pretexting, baiting, or posing as a trustworthy entity in communication.

Impacts of Account Takeover Fraud

Account takeover fraud impacts organizations in several ways, including:

  1. Financial Loss: Victims can suffer direct financial loss due to unauthorized transactions, theft of funds, or fraudulent purchases made using stolen credit cards or other financial accounts.
  2. Identity Theft: Attackers can use stolen personal details, such as social security numbers, from compromised accounts to commit further identity theft, which can lead to long-term financial and legal issues for the victims.
  3. Reputational Damage: If social media or professional accounts are taken over, the attacker can post damaging content that can harm companies in unexpected ways.
  4. Operational Disruption: In cases where business accounts are compromised, there can be significant operational disruptions, leading to downtime, loss of productivity, and potential legal liabilities.
  5. Data Breach: ATO can lead to further data breaches, as attackers gain access to sensitive information stored in the compromised account, which can be used for additional malicious activities.

Detecting Account Takeover Fraud

Detecting account takeover attacks involves monitoring for indicators of compromise and implementing security controls. Here are some key signs to watch for:

  • Unusual Login Patterns: Monitor for logins from unfamiliar geographic locations, IP addresses, or at odd hours, which may indicate unauthorized access.
  • Repeated Failed Authentication Attempts: Multiple failed login attempts could suggest brute force or credential stuffing attacks.
  • Anomalous Transactions or Activities: Unusual activities, such as unexpected data downloads, transfers, or commands, could signal account compromise.
  • Increase in Outgoing Spam or Phishing Messages: A spike in outgoing spam or phishing emails from an account may indicate it has been taken over for malicious purposes.
  • Account Lockouts: Users being locked out of their accounts unexpectedly could be a sign that an attacker has gained access and changed the password.
  • Unexpected Two-Factor Authentication Requests: Be alert to MFA requests that are not triggered by the legitimate user, as this could indicate an attacker is attempting to bypass security measures.

Responding to Account Takeover Fraud

When security teams detect account takeover (ATO) fraud, they should initiate their incident response plan to mitigate the impact effectively. Here are some specific steps that should be included:

  • Immediate Account Lockdown: Temporarily lock the affected account to prevent further unauthorized access while the incident is being investigated.
  • Investigate the Incident: Conduct a thorough investigation to determine the scope of the compromise, including which accounts were affected, how the attacker gained access, and what actions were taken by the attacker.
  • Reset Credentials: For the compromised account and any other accounts that may have been affected, reset passwords and any other security credentials. Ensure that the new passwords are strong and unique.
  • Review and Revoke Access: Review the access rights and privileges of the compromised account to identify any unauthorized changes. Revoke any suspicious access and restore appropriate permissions.
  • Enable Multifactor Authentication (MFA): If not already in place, enable MFA for the affected account and encourage its adoption across all user accounts as an additional layer of security.
  • Notify Affected Users: Communicate with the affected user(s) about the incident, the steps taken to secure their account, and any actions they need to take, such as changing their passwords.
  • Update Security Measures: Based on the findings of the investigation, update security measures and policies to prevent similar incidents in the future. This may include enhancing monitoring capabilities, refining access controls, and conducting regular security audits.
  • Monitor for Suspicious Activity: Continue to monitor the affected account and other related systems for any signs of suspicious activity that may indicate further attempts at unauthorized access.
  • Document the Incident: Keep detailed records of the incident, including how it was detected, the response actions taken, and the lessons learned. This documentation can be valuable for future reference and for compliance purposes.
  • Conduct a Post-Incident Review: After the incident has been resolved, conduct a review to evaluate the effectiveness of the response, identify any weaknesses in security protocols, and implement improvements to prevent future occurrences.

Preventing Account Takeover Fraud

Preventing ATO fraud requires a multilevel approach that combines strong security measures, user education, and regular monitoring. Here are some of the best practices:

  • Use Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide two or more verification factors to access their accounts, making it much harder for attackers to gain unauthorized access.
  • Implement Strong Password Policies: Enforce policies that require all employees to use a password manager to generate strong, unique passwords for each account.
  • Monitor for Suspicious Activity: Use tools to monitor user accounts for unusual activities, such as login attempts from new locations or devices, multiple failed login attempts, or sudden changes in account settings.
  • Enable Account Lockout Policies: Implement account lockout policies that temporarily lock accounts after a certain number of failed login attempts to prevent brute-force attacks.
  • Regularly Update and Patch Systems: Keep all systems, software, and applications up to date with the latest security patches to reduce vulnerabilities that attackers could exploit.
  • Use Advanced Authentication Methods: Consider implementing biometric authentication or behavioral biometrics, which can provide additional security by analyzing user behavior patterns.
  • Secure Endpoints: Ensure that all devices used to access accounts are secured with antivirus software, firewalls, and other endpoint security solutions.
  • Educate Users: Conduct regular security awareness training to educate users about the risks of ATO fraud, how to recognize phishing attempts, and the importance of using strong, unique passwords.
  • Incident Response Plan: Have a well-defined incident response plan in place to quickly respond to and mitigate the impact of any account takeover incidents.
  • Dark Web Monitoring: Monitor the dark web for leaked user credentials related to your organization. Early detection of compromised data allows your security team to reset the passwords for the affected accounts and prevent potential account takeover fraud​.

Need real time visibility into your organization’s leaked credentials? Book a demo with Breachsense to learn how we can help stop account takeover fraud.

Related Articles