Account takeover fraud (ATO) is definitely not the new kid on the block. Establishments whose business model is centered around financial transactions, such as online retailers or banks, have been dealing with it for over a decade.

Unfortunately, this doesn’t mean that its appeal has died down over the years. In fact, account takeover fraud is more popular than ever. Recent account takeover statistics have shown an increase of nearly 300% since 2019 in ATO cases that have cost companies and consumers alike a whopping $16.9 billion in damages.

In the following lines, I will take you through the basics of account takeover fraud prevention. So, if you want to know not only how ATO works, but also how you can protect your business from it, keep on reading.

What is Account Takeover Fraud?

Account Takeover Definition

To define account takeover fraud, it is essential to first discuss the concept of identity theft. According to Investopedia,

Identity theft is the crime of obtaining the personal or financial information of another person to use their identity to commit fraud, such as making unauthorized transactions or purchases. Identity theft is committed in many different ways and the end result is that victims are typically left with damage to their credit, finances, and reputation.

In the case of an account takeover, cybercriminals gain unlawful access to the financial or e-commerce login credentials of a user, generally through means of a bot attack. This results in one or multiple fraudulent transactions being carried out. Excessive billing may occur before the victim even notices they have been targeted by an ATO.

Keeping this in mind, it can be concluded that account takeover fraud is the Web-based variant of identity theft. Therefore, the practices of identity theft and account takeover go hand in hand.

Account Takeover Methods

Cybercriminals commit account takeover fraud by exploiting vulnerabilities in individual user accounts, as well as networks as a whole. Hackers have a variety of approaches under their belt for this, some more creative than others.

Nevertheless, the five most frequently used account takeover methods are malware replay attacks, social engineering, man-in-the-middle attacks, credential cracking, and credential stuffing, both of which I have explained in the subsections below. For more information on each topic, you can always check out the articles linked in their respective sections from the Heimdal blog. My colleagues already did a great job of explaining them in great detail there, so I’ll just go through the basics.

Malware Replay Attacks

Malware is a hacker-favorite when it comes to account takeover fraud attempts. Once your devices are infected, cybercriminals can either use the worm itself to steal login credentials or go the replay attack route.

During a replay attack, attackers seize HTTP data sent from your network to a financial institution, then manipulate it in their favor and retransmit it. Fortunately, there are a few warning signs that your network has been infected with malware. Some of the most frequent ones are:

  • reduced system performance,
  • suspicious increases in traffic,
  • unfamiliar error messages,
  • strange emails delivered from your account,
  • and unusual ads or pop-ups.

Social Engineering

Another widespread fraud tactic preferred by hackers, social engineering relies on human psychology to deceive users into disclosing personal information. Impersonating contacts, masquerading as trusted institutions, mimicking partner branding, or creating a relationship with ulterior motives are just a few of the popular practices in this category.

Here are a few ways to recognize if your company is being targeted by a social engineering campaign:

  • unsolicited emails or text messages,
  • suspicious payment or information requests,
  • and untrustworthy customer support inquiries towards clients.

Man-in-the-Middle Attacks

Much like social engineering, man-in-the-middle attacks rely on a deception that is usually carried out in two potential scenarios. In one of them, cybercriminals intercept your communications with a legitimate third party, such as a bank or a supplier. You will then be redirected to a hacker-controlled domain and requested to provide login credentials or other PII.

The second possible scenario involves cybercriminals completely hijacking your session and taking actions on your behalf without previously expressed consent. This happens when your network is unsecured, or when JavaScript vulnerabilities are left open to attacks.

Your enterprise might have fallen victim to a man-in-the-middle attack if:

  • customers receive fraudulent communications from you,
  • IP, HTTP, DNS, or TCP anomalies appear in a session,
  • latency anomalies appear in a session,
  • TCP and HTTP signatures in a session do not match,
  • and suspicious parallel sessions are identified.

Credential Stuffing

The illicit practice of credential stuffing consists of hackers trying to login by using stolen user names and passwords across a multitude of websites and platforms. The name stems from the method itself, which is “best described as trying to stuff [the credentials] everywhere”, as my colleague Miriam very aptly explained in her extensive article on the topic.

Do you suspect you’ve been targeted by a credential stuffing attack? Here’s how you can tell:

  • fluctuating spikes in traffic,
  • irregular increase of failed login tries,
  • amplified number of logins,
  • non-existent credentials attempting authentication,
  • and an upsurge in bounce rates.

Credential Cracking

Finally, credential cracking is perhaps the oldest and most simplistic trick in this particular book, but an effective one nevertheless. It is widely used by hackers that target one specific establishment, as opposed to credential stuffing and its broader focus. Cybercriminals break your account(s) by running credentials as per the dictionary method, or through a brute force attack.

  • a spike in account locks,
  • an unusually high number of failed login attempts,
  • and customer complaints regarding suspicious activity.

Regardless of the method that is used, account takeover as a process is not a singular event. It unfolds in six separate steps which I like to call the six IONs of ATO. These are infection, misappropriation, transaction, validation, observation, and execution. You can find them defined below.

1. Infection

Using social engineering practices such as malspam, pop-ups, and so on, bots deploy malware to infect vulnerable machines in your network.

2. Misappropriation

Criminals profit from the gap in security and steal login credentials, as well as other relevant personally identifiable information (PII).

3. Transaction

Cybercriminals sell stolen credentials on the Dark Web for a profit, or keep them and pursue fraudulent activities themselves.

4. Validation

Fraudsters validate the stolen credentials and PII to ensure that they are correct and can be used for account takeover fraud.

5. Observation

Fraudsters then monitor the activity on the compromised account(s) to choose an ideal moment to strike.

6. Execution

Hackers finally perform duplicitous account activities such as fake payments, illicit online shopping, or excessive billing for their financial gain.

Account Takeover Prevention

#1 Train Employees on Password Best Practices

As a business owner, part of your job is to not only stay up to date with the latest cybersecurity best practices but to make sure your employees are on the same page as well. At the end of the day, they are the ones in charge of their own login credentials.

Proper credentials are your company’s first line of defense in the face of account takeover fraud. Therefore, you must educate personnel on how to create and maintain a strong password. In this way, they will avoid perpetuating the most common password mistakes and thus keep your business all the safer. A strong password:

  • contains both lowercase and uppercase letters,
  • features alphanumeric characters,
  • does not contain easy to guess PII (name, birthday, and so on),
  • is changed frequently,
  • but not according to a fixed schedule.

#2 Utilize a Password Management Tool

Does your staff work with several accounts on multiple platforms? Ensuring that they create a different password for each one is vital for the online safety of your assets. Needless to say, this can become difficult to handle. Nevertheless, integrating a password management tool into your organization’s workflow is a sure way to make everyone’s life easier in this regard. Popular suggestions include:

  • 1Password
  • LastPass
  • Dashlane
  • Bitwarden
  • KeePass

#3 Implement Two-Factor Authentication

Two-factor authentication provides an additional layer of security when logging into an account, and can thus stop fraudsters in their tracks. As stated in its name, this preventive method implies adding a subsequent step beside the traditional username and password.

Nowadays, the most popular choice of login validation is that of a secondary device that is traditionally carried with oneself at all times, such as a smartphone or token. Popular platforms such as Google, Facebook, or Instagram use it.

However, two-factor authentication can also consist of:

  • A piece of personal information, such as a PIN code or the answer to a secret security question.
  • Biometric data, such as facial, vocal, or fingerprint recognition.

#4 Deploy Software Updates and Patches

Outdated, unpatched software is a huge liability for your enterprise, as it allows fraudsters to perform man-in-the-middle attacks and other hacking attempts. However, staying on top of updates can become tedious for employees, whose activity is often interrupted by their installation process. This is why most of them will press the LATER button for as long as they can.

Nevertheless, patches are crucial to the cyber-health of any system. This is why we here at Heimdal Security integrated the Heimdal Patch & Asset Management automatic software updater into our core offering of Heimdal™ Threat Prevention.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal™ Threat Prevention - Endpoint

Is our next gen proactive shield that stops unknown threats before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Heimdal Patch & Asset Management deploy system updates and patches automatically, thus closing the security gaps in your organization’s network. What is more, installations can be scheduled at the convenience of your employees, minimizing disruptions and optimizing workflows in the process.

#5 Apply DNS Filtering on All Endpoints

Regardless of how strong your company’s password game is, fraudsters can still have a field day with your financial assets if your systems are not protected at the level of the Domain Name System. In fact, most of the aforementioned account takeover fraud methods have higher chances of succeeding if the DNS is not secured.

Fortunately, this is something that can be handled by Heimdal™ Threat Prevention as well, courtesy of its integrated DarkLayer Guard™ and VectorN Detection DNS security and threat hunting modules. Foresight enables you to locate, prevent, and block digital dangers with its advanced endpoint traffic-filtering technology.

Additionally, the DarkLayer Guard™ module is also integrated with Heimdal™ Threat Prevention Network, a solution we created to ensure your network cybersecurity at the level of the online perimeter. In this way, your company can cover all its bases and stop ATO fraudsters in their tracks before it’s too late.

Heimdal Official Logo
Your perimeter network is vulnerable to sophisticated attacks.

Heimdal™ Threat Prevention - Network

Is the next-generation network protection and response solution that will keep your systems safe.
  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

To Sum It All Up…

A strong password is your best friend when it comes to accounting takeover fraud prevention. Nonetheless, backing login credentials with an efficient suite of cybersecurity solutions will take your defenses to the next level. As cyber attackers become increasingly cunning and skilled in penetrating even the sturdiest of digital fortresses, it is your responsibility as a business owner to keep your clients and employees safe.

Has your business ever been targeted by an account takeover attempt? Do you have any thoughts on the topic? Let me know in the comment section below!

Leave a Reply

Your email address will not be published. Required fields are marked *