Blog, Events & News

BACK TO ALL

Account Takeover in The Wild

By Richard Jones / 08th Jul 2018

At Netacea we've seen a great deal of Account Takeover (ATO) attempts, but it's taken the recent GDPR changes for corporates to wake-up to the implications of the potential data breaches in this new regulatory landscape.

Compounding the new regulatory changes, we are seeing a particular increase in highly distributed 'low and slow' ATO attacks that are deliberately architected to workaround standard WAF rules, country-based blocking, digital fingerprinting/tracking, and standard pass/fail login ratio analysis. The new attacks and the changes in the regulation now present a real challenge to any organisation.

The latest methods are making it increasingly difficult to prevent Account Takeover (ATO) with these standard tools. Worryingly they are largely successful and will result in a potential data breach which may put your company at risk of a GDPR breach. If you have customer data that is not encrypted at rest, these latest attacks are more than likely to result in the possible misuse of customer account data.

The best combination lists of passwords and emails from recent data breaches from sites like Ticketmaster have a very high percentage chance (3-5%+) of success, depending on the target website, and the quality of the hacked list.

Organised criminal gangs will pay handsomely for known password and email combinations that can be linked to large e-commerce websites, which are then exploited in a variety of ways from credit card theft, credit theft, personal data theft, shipping goods to a new address, to voucher fraud. Although the actual monetary value of the goods is often small, the associated management, regulatory and legal, reimbursement, reputational loss, and customer communications are often many times greater for the organisation.

The combination of high success rates with a ready market for these compromised accounts, means the account takeover abusers aren't going to stop anytime soon. Combination lists of compromised passwords and emails can be purchased on the dark web for as little as £200 for 1 million addresses.

At first, the vast majority of ATO attempts we're crude but successful. As corporates tried to develop ATO mitigation methods, the ATO perpetrators came up with increasingly sophisticated techniques for working around the blocking.

The latest attacks we're seeing in the wild have a distinct pattern.

A typical attack profile will first perform a reconnaissance mission on the site, to look for exploits and ensure the website has a suitable payload to cost justify the attacks. Sophisticated ATO takes both time and money. There is no point in attacking the website if it doesn't have a payday.

The initial tell-tale signs are anomalous account creations. Often, a few days or weeks before the attack, the targetted website will be tested out and customer accounts will be created. This action is performed for three reasons:

  1. First is to investigate the data fields in the account profile path, and look for credit card details, vouchers, lack of two-factor authentication, no encryption at rest, shipping address, and other personal data.
  2. Second, is to test the account log-in verification itself. Is the account subject to any analysis beyond checking a valid email? Can the account be created by a bot? Can the Captcha be easily bypassed to allow for scripted account login?
  3. The final element of the account creation is to create a few hundred or thousand accounts depending on the size of the attack, which can be used to disguise the ratio of successful login to failed logins. Once the fake accounts are created, they can be blended into a mix of brute force attacks, to evade any successful ratio analysis which uses the failure rate as an anomaly. This method works well as the fake accounts can be created well in advance of the real attack, and disguises the true nature of the ATO attempts. If you think you may be blocking successful logins it is natural to be cautious with more aggressive blocking or Captcha. This method eliminates one surefire way to spot ATO attempts - large disproportionate increases in login failure rates.

One recent large eCommerce site we mitigated was attacked using a widely distributed botnet across 138 countries, rotating thousands of IP addresses and user agents, and attempted to log in over 500,000 times over days. The IP rotation was very rapid, and country-based blocking would have resulted in blocking billions of potential customers. These ATO attempts were geographically split over the multiple countries, in multiple time zones and continents, and had no discernible geographic pattern.

At Netacea we have built our machine learning engine from the ground up to work on behavioural analysis using machine learning. Our approach to base-line the standard deviation of normal behaviour versus the abnormal methods used in even the most sophisticated ATO attack has proved to have paid dividends.

Learn more about our approach and sign up for a trial, where you can access the Netacea Account Takeover and Bot Management dashboard and test it on your live site.