Few cybersecurity threats worry today’s CISOs as much as account takeover (ATO) attacks. As many major brands have come to learn the hard way, even the most robust security controls are easily undone by customers recycling their passwords across multiple accounts.
Recent events underscore the critical need to address ATO vulnerabilities. Security researchers uncovered critical security flaws in ChatGPT plugins, exposing sensitive user data and raising concerns about the security of third-party integrations. Meanwhile, a recent surge in user complaints prompted U.S. state attorney generals to demand action from Meta regarding a "dramatic and persistent spike" in ATOs on Facebook and Instagram.
Both of these incidents highlight the potential for ATO attacks to occur on traditional platforms like social media, and also within the expanding ecosystem of productivity tools and AI-powered applications.
Decode the signals of ATO
Account takeover attacks represent the lowest of the low-hanging fruit for threat actors today. With more than 12 billion user credentials being actively marketed on dark web forums along with dozens of open-source tools for cracking accounts, the barriers for entry for aspiring hackers are negligible. That’s one of the reasons why according to a recent study by Javelin and AARP, 22% of U.S. adults were victims of ATO last year, resulting in more than $13 billion in losses.
While stolen credentials are easy to find on the dark web, manually testing them presents a tedious and time-consuming process. That’s where bots come in. Threat actors have weaponized bots to automate large-scale ATO attempts. A new generation of sophisticated bots can mimic human behavior by filling out login forms, solving CAPTCHAs, and even bypassing basic two-factor authentication measures. This automation significantly increases the efficiency of ATO attacks, allowing criminals to test and validate vast numbers of stolen credentials in a fraction of the time it would normally take.
Meanwhile, open-source pentesting tools like OpenBullet, take it a step further. Threat actors leverage these tools by customizing configuration files to target specific websites, enabling the automated input of stolen credentials into login forms at scale.
Security teams find the fragmented nature of warning signals across different departments one of the most challenging aspects of ATO attacks. While the network security team might receive alerts from a bot mitigation engine indicating suspicious activities, the application security group could observe unusual patterns through the web firewall. This division creates a scenario where signals indicative of a potential ATO attack are dispersed across various units within the organization, each observing only a fragment of the broader threat landscape.
Moreover, these signals are not static; they evolve downstream into varied forms such as fraud alerts or specific behavioral patterns associated with the attack tactics. Typically, attackers follow a programmed sequence of actions upon gaining unauthorized access to an account, which might include credential washing and reconnaissance activities to assess the value of the compromised account. These steps are meticulously planned and executed, making the detection based solely on internal signals all the more challenging.
Three early detection tips
Speed is of the essence when it comes to detecting and stopping bad actors from taking over legitimate user accounts. To protect user accounts and the company’s bottom line from ATOs, consider the following strategies:
- Learn the predictive signals: Is the ratio of failed login attempts versus successful ones outside the norm? Has someone recently published a configuration for the OpenBullet tool for the company’s site? These are just a few of the telltale indicators that an application is being targeted for an ATO attack. In addition to internal predictive signals, it’s likewise crucial to incorporate external indicators as well. Regularly monitoring dark web markets might reveal stolen credentials or user information being sold that attackers could use to launch ATO attacks. Additionally, tracking trends in cybercrime forums and social media discussions can highlight emerging attack techniques and tools targeting a specific industry or user base. By combining internal and external threat intelligence, the team can gain a more comprehensive picture of potential ATO threats and take proactive steps to defend users and applications from unauthorized access.
- Integrate signals to accelerate a response: Because the signals of an ATO are very diverse, they often reach different teams – each of which cannot see the big picture. This compartmentalization of signal detection leads to a significant gap in comprehensive threat awareness within the organization. Often, there’s no centralized way to piece together these disparate signals into a coherent picture of an ongoing ATO attack. As a result, organizations find themselves blindsided by such attacks, with the realization only dawning upon receiving complaints from affected customers. It's a common narrative among businesses, where ATO attacks persist undetected for months, underscoring the importance of integrating signals across different organizational silos to foster a more proactive and informed response mechanism.
- Deploy security controls: Just as a car thief is more likely to target a vehicle with fewer safeguards, most cybercriminals will likewise follow the path of least resistance. The more difficult and expensive the team makes it for the attacker, the better the chances of minimizing the damage. Multifactor authentication is the most obvious way to deter ATO attempts. Additionally, implementing rate limiting can further hinder bots by restricting the number of login attempts allowed within a specific timeframe, making it more time-consuming and resource-intensive for attackers to launch large-scale ATO attempts.
While we can offer no real silver bullet for preventing ATO attacks, security teams can certainly reduce the chances by applying some of these ideas and work to beat the bots at their own game.
Nick Rieniets, Field CTO, Kasada
