Account Takeover, or ATO, refers to any types of cybersecurity attacks with the objective of gaining access and control over an account: an email account, administrator account on a server, social media account, and others. The cybercriminals do this by stealing credentials; pairs of usernames and passwords to gain ownership of the user account.
Lately, credential stuffing attacks —a type of ATO attack where attackers attempt to use stolen credentials on other accounts— are on the rise. Attackers often take advantage of the fact that many people tend to use the same passwords across all their accounts, increasing the success rate of this type of attack.
ATO attacks can be performed manually by hackers, but more and more cybercriminals are now using the help of programmable bots to automate the attacks, allowing them to perform hundreds and even thousands of ATO attacks every minute. This is why defending against ATO attacks is now increasingly challenging.
There are two main ‘methods’ of performing account takeover (ATO) attacks:
- Brute Force
Brute force attacks, or also known as ‘credential cracking’ (OWASP OAT-007) is a way to obtain credentials essentially by trying all possibilities. For example, if it’s a four-digit PIN, brute force attacks will start ‘guessing’ the password from 0000, 0001 all the way to 9999. There are various techniques hackers can use to perform this brute force attack, for instance, the ‘dictionary’ attack uses a list of common passwords to narrow and tries them one by one to narrow down the possibilities.
Hackers typically use bots to perform rapid brute force attacks, often trying hundreds of password possibilities per minute. Common signs of brute force attack include a sudden spike in failed login attempts and an increase in bounce rate, among others. N
- Credential Stuffing
Designated OWASP OAT-008, credential stuffing is a type of ATO attack where the attacker attempts a known/stolen credential on another account. For example, if someone’s Gmail account is compromised, the attacker will attempt the same credential on Facebook and Instagram.
Credential stuffing exploits a very common bad habit of using the same username and password pair on multiple websites. The attacker uses bots to test lists of stolen credentials that are purchased from the dark web or other sources on various websites, often in hundreds of websites simultaneously.
Unlike in a brute force attack, credential stuffing doesn’t involve ‘guessing’, but the symptom of failed login attempts remains the same. Also a very obvious sign is when the same user ID/HTTP client attempts different credentials in consecutive login attempts.
However, besides the two major ATO types above, there are various other techniques the hackers can attempt to gain entry into valuable accounts:
- Social Engineering: ATO attackers may spend time researching and monitoring social media, forums, public databases, and other resources to look for sensitive information they can use like full name, location, phone number, names of family members, birth date, etc. that might assist in guessing your credential
- Phishing: a subtype of social engineering attacks, the attacker will make direct contact with the target (i.e. via email), attempting to trick the user to reveal their personal information. For example, the attacker might send an (seemingly valid) email impersonating your company’s HR director asking for the target’s credential. Phishing (and spear phishing) relies on human errors rather than network/system vulnerabilities, so dealing with this type of attack will require different approaches.
Now that we’ve properly understood the principles behind account takeover (ATO) and credential stuffing attacks and the different potential methods, we can discuss the effective prevention techniques we can use to defend against them:
Since most account takeover attacks these days are performed by bots and not human hackers, we can effectively prevent the occurrence of ATO attacks by detecting and managing activities from malicious bots.
The thing is, there are two main challenges in managing bot traffic:
- Besides the bad bots operated by hackers and cybercriminals, there are good bots that can be beneficial for your network. We wouldn’t want to block, for example, Googlebot which will effectively prevent our site from being indexed by Google. So, the bot management solution must be able to properly differentiate traffic from good bots and bad bots.
- Malicious bots are getting better at impersonating humanlike behaviors like randomized typing patterns, non-linear mouse movements, and others. Differentiating malicious bots from valuable, legitimate human traffic can be a major challenge.
To tackle these issues, a sufficient bot management solution is required. Since many malicious bots are now using AI technologies to impersonate humanlike patterns and rotate between hundreds of user agents/IP addresses, we also need an AI-powered account takeover protection solution like DataDome that can use behavioral analysis to detect and manage malicious bots in real-time and autopilot.
This way, whenever a malicious bot attempts brute force or credential stuffing attacks on your site, DataDome can effectively block its activities without needing you to do anything. It will only notify you that an attack attempt has successfully been nullified.
As discussed, hackers aren’t only targeting technical vulnerabilities in attempting ATOs, but can also target the human aspect of your system via social engineering and phishing attacks.
Thrust, one of the best approaches in preventing account takeover fraud is to prevent your team members from using weak and/or non-unique passwords. Educate users on the importance of using strong passwords (and the criteria of a ‘strong’ credential) and not to reuse the same password/username pair on different websites/accounts.
As a general rule of thumb, your password should be at least 10 characters long and uses a combination of uppercase, lowercase, symbols, numbers, as well as spaces when possible. The thing is, the longer and more randomized the password is, the harder it will be to remember them.
We can tackle this issue by using various password manager solutions that can generate totally random passwords and automatically store them safely.
The idea behind multi-factor authentication (MFA) or two-factor authentication (2FA) is to ask for an additional credential besides your password before the user can access their account. This second information can be:
- Something you are: your face ID, retinal/iris scan, fingerprint, etc.
- Something you have: USB key/dongle, a device to pair with, etc.
- Something you know: additional PIN, second password, etc.
When you implement multi-factor authentication, the hacker can’t gain access to your account even when they’ve successfully guessed your password.
Although WAFs aren’t specifically implemented to prevent ATO attacks, they can be configured to identify and block activities related to account takeover attempts. For example, WAFs can be configured to identify brute force attacks and help mitigate malicious bot activities.
Properly identifying account takeover (ATO) attempts and effectively preventing these attempts are now very important for any businesses with credential-protected accounts. When an account is compromised, it can lead to long-term damage to your reputation, if not permanent.
While there are various techniques and methods that might be utilized by the attackers in performing ATOs, most of them involve the use of malicious bots. So, using DataDome to effectively detect and manage these bot activities can be the most effective solution in preventing account takeover and credential stuffing attacks.