Account takeover (ATO) attacks have been on the rise throughout 2022, meaning more cybercriminals are gaining access and taking control of legitimate user’s online accounts.

Why? Because ATO attacks get easier to initiate every day, as attackers use bots to bypass your first layer of defense—and sometimes your first few layers.

Once a bad actor has control of an account, they can use it to commit a wide variety of crimes, such as stealing money, distributing malware, or phishing other users. Account takeovers tend to have more than one victim, including both the real user whose account was stolen and the company that owns the compromised platform. The damage caused by ATO attacks has increased exponentially over time, with more stored value in customer accounts, free trial offers, coupon manipulation, etc. than ever before.

Let’s explore some of the most common methods of ATO attack, and what you can do to protect your users and your business. ATO attacks are detrimental to a company’s loyal user base, causing direct harm to users, bad reviews, and negative brand exposure. Let’s explore some of the most common methods of ATO attack, and what you can do to protect your users and your business. 

How do ATO attacks happen?

Cybercriminals have several avenues to take over accounts, but the primary methods are credential stuffing and credential cracking.

Credential Stuffing

Credential stuffing happens when criminals already have a list of credentials from another compromised website, app, or API. They’ll use bots to “stuff” the known username/password combinations into various websites. Because people tend to reuse the same username and password on multiple sites, credential stuffing attacks are usually very successful.

Credential Cracking

Credential cracking happens when criminals have an incomplete list of credentials, such as usernames only, or usernames with old passwords that have since been updated. Attackers use bots to try a list of common passwords one after another until they succeed. Once the attacker has a confirmed password for a username, they can either take over the account themselves or sell the combination online for someone else to abuse.

The Vicious Cycle

Credential stuffing and credential cracking attacks are cyclical—an attack on one site can lead to an ATO on a different site. For example, a successful credential stuffing attack on General Motors happened because credentials were discovered on a different site, and then later tested on General Motors’ website. Hundreds of user accounts were taken over, including the accounts of customers with rewards points that criminals could use immediately. 

What are the impacts of ATO attacks?

ATO attacks, no matter how they occur, impact several areas of your business:

• Theft of Store Value/Account Balance: Malicious actors can steal credits and rewards with monetary value from the account.
• Fraudulent Use of Credit Card Information: If payment details are on file in the account, the cybercriminal can easily make illicit purchases with the compromised account’s card.
• Information Theft: Many online accounts include lots of personal data that can be stolen to resell, or to use in later attacks.

What is fake account creation?

Fake account creation is similar to ATO, but involves creating fake accounts to exploit a website or application. For instance, if a targeted site offers free or reduced costs for new accounts, a bad actor may be able to create new accounts often to take advantage of the special offers in perpetuity.

• Malware Distribution: New accounts can distribute malware (such as ransomware) to compromise and then extort other users.
• Phishing: Users can create legitimate-looking accounts to send phishing emails.
• Spamming: Some fake accounts are created solely to post unwanted or inappropriate content. As soon as one account is banned for spam, bots can open another one to continue.
• Coupon Abuse: Several fake accounts can be created to use promotional “new account” coupon codes over and over.
• Review Abuse: Reviews are important and can significantly influence buying decisions. Several services exist to allow bots to create accounts and post fake reviews to influence real buyers (in either a positive or negative manner).
• Inventory Abuse (aka Denial of Inventory): Bad actors can restrict the availability of certain items by adding huge amounts to their shopping carts—forcing real buyers to find the item at a competing site. Inventory abuse can also refer to buying up all available stock on certain items and reselling them elsewhere for profit.

Conclusion

ATO attacks are becoming more common as bad actors continue to find new ways to access people’s online accounts—in fact, almost a quarter of all adults in the US have been victims of account takeovers. By being aware of the most common methods of ATO attacks and taking steps to protect yourself, you can help decrease your chances of becoming a victim yourself.