In the early days of ATO fraud, hardcore ATO fraudsters and wannabes had to move fast after they downloaded stolen customer account login credentials from a Darknet Market or a pastebin. Why? Because the same stolen credentials are offered to multiple fraudsters and it has been a race to validate the stolen goods and cash in on the stolen info. Of course it’s still the case that time is of the essence with regards to online fraud, but it seems that the trend has been heading in the fraudsters’ favor. Today, fraudsters have a greater selection of stolen credentials at lower prices than ever before.
Today, Account Takeover offers a world of possibilities. There is a reason that ATO is so popular and growing year after year---it’s easy to do, there are a lot of resources, even tutorials made by a supportive community of fraudsters. As Aleksander Kijek puts it, ATO is more of a harvest than an attack.
Today, ATO fraudsters have---to quote Batman’s nemesis---“So much to do, and so little time” because there are so many options. Fraudsters can afford to miss the target and just keep trying.
As an eCommerce owner or officer, why should you care about customer accounts? They’re just a collection of information, right? Because customer accounts translate into repeat business, which is golden. Compromised accounts leads to loss of confidence and possibly viral spread of damaging word-of-mouth impressions of your company.
The possibilities of acquiring stolen account credentials are many. Here are some of the most popular methods (fraudsters come up with the best names for their techniques, by the way, a testament to their creativity):
How do fraudsters get credentials to commit ATO?
Data breach — stealing info on a large scale. Fraudsters love to steal accounts en masse and sell the same info to lots of fraudsters and wannabes for incredibly low prices, considering how valuable online customer accounts are to merchants.
Man in the middle attack — stealing information as it is sent online. Man in the middle (MITM) attacks come in two forms, one that involves physical proximity to the intended target, and another that involves malicious software, or malware. And within these categories there’s a whole selection of MITM attacks, including DNS spoofing, SSL hijacking, wi-fi eavesdropping and stealing browser cookies (which in particular just seems wrong on many levels).
When fraudsters have secured a number of emails with or without password and card numbers attached to them, they have th option to engage in credential stuffing, which is large-scale testing of a lot of emails at once. Credential stuffing attacks are made possible because many users typically reuse the same password across many sites.
Password spraying is an attack that attempts to test a large number of account usernames with a few commonly used passwords. Stealing a list of usernames within a given system is not difficult, and a large percentage of users create passwords that are easy to guess. Password spraying is sometimes paired with social engineering and manipulation (see this post for examples of social engineering).
Finally, if you’re a lazy fraudster, time-pressed, or a newbie you can just buy lists of stolen account credentials from a pastebin, a Darknet Market or from a third party online store on the Clearweb (our intelligence specialist Michal Barbas devoted an upcoming post to this topic). One Euro or USD will get you someone else’s account, but usually fraudsters purchase whole lists. If you don’t know where to find “merchants” who sell stolen accounts, then you can just do a quick search on Twitter or Discord with some hashtags and connect with them in a few minutes.
(As a side note, I assume that the fraudsters who prefer the “browser cookies” method are scrambling a bit like many online business sectors with the upcoming elimination of the third-party cookie for Google Chrome browsers. But as you can see, there are many comparable options to choose from.)
After picking up a batch of stolen credentials and/or having sprayed and stuffed their way into accounts, fraudsters have a variety of paths that they can take to reap immediate benefits or to wait for a more profitable time:
- The obvious choice is to immediately purchase items using the stolen account; changing the shipping address is an option;
- Slightly less obvious choice is to change the credit card number to a different one (preferably also stolen) so that the customer won’t notice and the account can be re-used.
- Personal data can be stolen from the account to re-sell or use later (usually without the users knowing they were robbed)
- Taking over user loyalty points and bonuses.
Legitimate accounts provide wonderful cover for fraudsters. Without an additional layer of security, transactions from such accounts usually aren’t flagged by rules-based systems. Usually, customers aren’t even aware that their account has been taken over. Neither are companies!
So much to do, so little time…
How might we help fraud managers recognise ATO before it happens?
We have spoken to a number of fraud managers for eCommerce companies, and they all said the same thing:
We already know what to do when we discover that ATO has happened. We want to know about it before it happens. We need better recognition.
Well, eCommerce fraud managers have options too.
The key is to recognise the user that tries to log in or purchase or change data. Is it the legitimate owner of the account or some criminal mastermind?
Data science, machine learning, and software engineering help a great deal. Nethone ATO Module assesses how users type, how and where they move the cursor, where they hover, which computer they are using, plus thousands of other data points connected to attributes. ATO Module combines behavioural biometrics (for ex., angle of holding the device), with the cookie hijacking model (for ex., trying to conceal browser type) with a client-specific Machine Learning model trained on client historical data. This is the heart of ATO Module.
With the help of intelligent, customized Machine Learning automation, you and your company will be the ones with more time to do the activities that you want to be doing, as opposed to damage control after ATO heists.