Credential Stuffing and Account Takeover Attacks Continue to Rise
As originally published in Card Not Present
Cyber attackers have found credential stuffing attacks and account takeovers (ATOs) to be a highly effective, highly scalable way to commit fraud against organizations in the financial services industry, as well as for other types of digital merchants.
That’s according to a new study published by Aberdeen Strategy & Research for PerimeterX titled Quantifying the Impact of Credential Stuffing and Account Takeovers in Financial Services, which quantifies the risk of automated fraud for these organizations.
In an ATO attack, cybercriminals take unauthorized ownership of online accounts using stolen usernames and passwords. This is relatively simple, because users don’t change passwords often, and they reuse login credentials across multiple sites. Attackers typically buy a list of credentials on the dark web—often obtained from previous data breaches, social engineering and phishing attacks—and launch an army of bots across financial institution and retailer websites to test username and password combinations on login screens. Attackers can break into authentication login pages on websites, mobile sites and native mobile app APIs. In the end, they get a list of validated credentials they can profit from by abusing the account or by selling the validated credentials to others. These attacks result in account fraud and a form of identity theft.
Credential stuffing is the automated injection of stolen username/password pairs into website login forms, in order to fraudulently gain access to user accounts. Again, due to username and password reuse, when those credentials are exposed by a database breach or phishing attack, for example, submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.
From the perspective of financially motivated attackers, there are three obvious reasons why credential stuffing and ATO attacks against organizations in the (Read more...)
*** This is a Security Bloggers Network syndicated blog from PerimeterX Blog authored by PerimeterX Blog. Read the original post at: https://www.perimeterx.com/resources/blog/2022/credential-stuffing-and-account-takeover-attacks-continue-to-rise/
