ATO Attacks from a Threat Intel Perspective
In today’s cybersecurity environment, the battle against account takeover (ATO) attacks is one of speed, scale, and sophistication. Credential stuffing, infostealers, and other malicious tools have made breaching systems easier than ever for attackers. Consequently, defenders are dealing with an overwhelming influx of data to analyze and act on.
To dig deeper into these challenges, we spoke with our Director of Threat Intelligence, Dylan Hudson.
Q&A on Account Takeover (ATO) Attacks and Credential Security
Q: What’s the anatomy of a typical ATO attack?
A: Basically, ATO involves using someone else’s valid credentials to login without their permission. These credentials can be compromised through various methods, including data breaches, phishing campaigns, and automated attacks that test stolen username/password combinations across different services– this is known as credential stuffing. Typically, attackers take massive lists of compromised credentials and try them across various platforms, often programmatically and/or with botnets. They don’t know which credentials will work necessarily, but they only need one hit to gain access and validate the credential or commit further system intrusion.
There is actually a whole business in the stolen credential ecosystem where threat actors known as ‘access brokers’ validate these credentials first with automated login scripts, then package and resell them in lists compiled by target, like streaming entertainment platforms or enterprise RDP tools for example.
Q: Why is credential security so complex today?
A: It’s all about scale. As in many industries these days, the challenge is not getting data itself, it’s how to parse, process, and then make useful decisions with it. We’re not dealing with a few compromised accounts here and there; we’re dealing with a tidal wave of stolen credentials being traded, sold, and exploited 24/7, coming in a wide variety of formats across many platforms. This is a ‘Big Data’ problem in the analytics and infrastructure sense. And to stay ahead, you need systems that can process, prioritize, and deliver this data in real-time. Without that, you’re always a step behind the attackers. No security practitioner wants more alerts, false alarms, or noise in their workflow, so the real technical challenge is providing extremely high-quality data quickly.
Q: Infostealers seem to be getting a lot of attention. What makes them so dangerous?
A: Infostealers are one of the most insidious tools in the attacker’s toolkit. They don’t just grab credentials; they grab them straight from a browser’s password manager, in plaintext, along with the URL where they’re used. That means an attacker doesn’t even need to know much—they just plug the data in and go. This is the difference between a criminal finding, say, a house key on the sidewalk and trying it on every residence in the area one-by-one, and finding that same key with the address attached to the keyring. It’s a complete game-changer.
What’s worse is that infostealers are part of the really successful malware-as-a-service ecosystem. This makes the malware accessible to a huge range of threat actors with a wide variety of technical abilities, so the actual dissemination of the malware becomes a highly varied and distributed effort that doesn’t take any single form. The developers of infostealers also included features that can disable certain anti-malware protections like Windows Defender, and constantly release new versions that may not be caught by even the latest antivirus definitions
Q: What’s the key to fighting credential-based threats?
A: Intelligent speed and scale: processing huge amounts of data in a way that separates signal from noise, and maximizes actionable value. At Enzoic, we’ve built a system that operates around the clock—24/7/365—to collect, process, and alert on compromised credentials as they’re discovered. We’ve spent years analyzing credential data and related threat landscapes so we can separate and prioritize the information that security practitioners need– no one wants a bunch of false alarms or to waste bandwidth on duplicate data while missing the actual urgent threats.
We’re processing hundreds of credentials every second and updating billions of records every year. This isn’t about reacting to or detecting threats after the fact; it’s about arming organizations with the intelligence they need to act before attackers can exploit these credentials. Proactive defense is the name of the game here.
Q: Can you walk us through a real-world example of how infostealers are used?
A: Let’s look at the Snowflake breaches from earlier this year. Reports indicated that some credentials sourced from infostealers were used to access customer accounts. The attackers didn’t just have usernames and passwords—they had direct links to the endpoints they wanted to target with those credentials. This makes the entire attack process incredibly fast and efficient for the bad actors. It’s a textbook example of why we need to stay ahead of these evolving threats.
Q: What trends are shaping this threat landscape?
A: In 2023, infostealer activity jumped by 266% and attacks using valid credentials increased by 71% year-over-year according to the IBM X-Force report. We’re still analyzing the data from 2024, but so far these numbers tell a pretty clear story: the infostealer surge marks a shift in the compromised credential landscape: attackers are evolving fast, and the credential security gap is widening.
While this Q&A covers the highlights, the full conversation during our recent webinar goes even deeper. In it, we explore actionable strategies for combating ATO attacks, managing the overwhelming influx of compromised credential data, and staying ahead of attackers.
Watch the full webinar recording here to gain the insights and tools you need to fortify your defenses.
*** This is a Security Bloggers Network syndicated blog from Blog | Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/blog/ato-attacks-from-a-threat-intel-perspective/
