Account Takeover Fraud Is Up 300%. What You Need to Know

[harlan4096]

Account Takeover Fraud Numbers Are on the Rise. Learn How to Secure Your Assets.

Account takeover fraud (ATO) is definitely not the new kid on the block. Establishments whose business model is centered around financial transactions, such as online retailers or banks, have been dealing with it for over a decade.

Unfortunately, this doesn’t mean that its appeal has died down over the years. In fact, account takeover fraud is more popular than ever. Recent account takeover statistics have shown an increase of nearly 300% since 2019 in ATO cases that have cost companies and consumers alike a whopping $16.9 billion in damages.

In the following lines, I will take you through the basics of account takeover fraud prevention. So, if you want to know not only how ATO works, but also how you can protect your business from it, keep on reading.

What is Account Takeover Fraud?Account Takeover DefinitionTo define account takeover fraud, it is essential to first discuss the concept of identity theft. According to Investopedia,
 

Identity theft is the crime of obtaining the personal or financial information of another person to use their identity to commit fraud, such as making unauthorized transactions or purchases. Identity theft is committed in many different ways and the end result is that victims are typically left with damage to their credit, finances, and reputation.

In the case of an account takeover, cybercriminals gain unlawful access to the financial or e-commerce login credentials of a user, generally through means of a bot attack. This results in one or multiple fraudulent transactions being carried out. Excessive billing may occur before the victim even notices they have been targeted by an ATO.

Keeping this in mind, it can be concluded that account takeover fraud is the Web-based variant of identity theft. Therefore, the practices of identity theft and account takeover go hand in hand.

Account Takeover Methods

Cybercriminals commit account takeover fraud by exploiting vulnerabilities in individual user accounts, as well as networks as a whole. Hackers have a variety of approaches under their belt for this, some more creative than others.

Nevertheless, the five most frequently used account takeover methods are malware replay attacks, social engineering, man-in-the-middle attacks, credential cracking, and credential stuffing, both of which I have explained in the subsections below. For more information on each topic, you can always check out the articles linked in their respective sections from the Heimdal blog. My colleagues already did a great job of explaining them in great detail there, so

I’ll just go through the basics.

Malware Replay Attacks

Malware is a hacker-favorite when it comes to account takeover fraud attempts. Once your devices are infected, cybercriminals can either use the worm itself to steal login credentials or go the replay attack route.

During a replay attack, attackers seize HTTP data sent from your network to a financial institution, then manipulate it in their favor and retransmit it. Fortunately, there are a few warning signs that your network has been infected with malware. Some of the most frequent ones are:

• reduced system performance,
  
• suspicious increases in traffic,
  
• unfamiliar error messages,
  
• strange emails delivered from your account,
  
• and unusual ads or pop-ups.
  

Social Engineering

Another widespread fraud tactic preferred by hackers, social engineering relies on human psychology to deceive users into disclosing personal information. Impersonating contacts, masquerading as trusted institutions, mimicking partner branding, or creating a relationship with ulterior motives are just a few of the popular practices in this category.

Here are a few ways to recognize if your company is being targeted by a social engineering campaign:

• unsolicited emails or text messages,
  
• suspicious payment or information requests,
  
• and untrustworthy customer support inquiries towards clients.
  

Man-in-the-Middle Attacks

Much like social engineering, man-in-the-middle attacks rely on a deception that is usually carried out in two potential scenarios. In one of them, cybercriminals intercept your communications with a legitimate third party, such as a bank or a supplier. You will then be redirected to a hacker-controlled domain and requested to provide login credentials or other PII.

The second possible scenario involves cybercriminals completely hijacking your session and taking actions on your behalf without previously expressed consent. This happens when your network is unsecured, or when JavaScript vulnerabilities are left open to attacks.

Your enterprise might have fallen victim to a man-in-the-middle attack if:

• customers receive fraudulent communications from you,
  
• IP, HTTP, DNS, or TCP anomalies appear in a session,
  
• latency anomalies appear in a session,
  
• TCP and HTTP signatures in a session do not match,
  
• and suspicious parallel sessions are identified.
  

...

Continue Reading