Blog, Events & News


Understanding The Account Takeover Attack Process

By Chris Collier / 22nd Nov 2018

In the first part of our blog series on Account Takeover Data Breaches, we discussed how data breaches have become common frontpage news and how they provide vast amounts of data that can be used to perform account takeover attacks against any given website login page.

Part two now investigates how habitual human behaviour plays into the attackers’ hands when attempting an attack.

Habitual Human Behaviour

There have been multitudes of research papers on the causes of data breaches; but when you look specifically at the use of compromised credentials used in a breach, some research estimates hacked passwords cause 81% of data breaches. That’s an alarmingly high statistic and when you look into it a bit further; there is one obvious issue that becomes very apparent, habitual human behaviour creates a very weak link. But what is it that we do which makes it so easy for an attacker to attempt to compromise an account?


Despite education on safer password hygiene, users continue to create weak passwords and re-use them across multiple accounts, regardless of if they are for personal or business use. Even with all the time and effort put into educating people that “password” or “12345” or even “password12345” is a bad idea, year after year, this issue is not being resolved. Don’t just take my word for it, take a look at the top 100 worst passwords of 2017. Plus, there have been numerous research papers, articles etc that have been published about the issues of passwords and their re-use published.

One such article published by researchers from the Department of Computer Science at Virginia Tech University found “password reuse and modification is a very common behavior (observed on 52% of the users).” The researchers based their analysis on 28.8m users, their 61.5m passwords in 107 services over a period of 8 years. The shocking result; 52% of the users reused credentials, potentially over 107 services.

Now we’ve discussed habitual human behaviour with passwords, let's discuss how this provides many advantages to the attacker.

Account Takeover Attack Process

When attempting any form of cyber-attack, there is commonly a 5-stage process that any experienced attacker will take to ensure the success of the campaign:

1. Reconnaissance

2. Vulnerability Scanning

3. Exploiting Found Vulnerabilities

4. Payload Delivery

5. Exfiltration

Each stage has its own level of importance to the attacker, they can’t really move on until the previous stage has been completed and as you move further down the attack chain, the higher the risks become, for both the attacker and the victim. Now, this isn’t to say that all attackers follow this process, in truth, an attack and the process really depends on the objective, the attacker and their skills levels & hands-on experience.

However, if you think about the password re-use behaviour we discussed earlier in this blog and the mass amount of breached data available, stages 1-2 in the attack process can be completed relatively quickly and easily.

For example:

The Stages of Account Takeover

Stage 1 - The reconnaissance is where the attacker decides who to target, they may decide based on the credential pairs for sale on the Dark-web or world wide web, (it’s alarming how quickly you can get hold of credential pairs just by running some quick searches, obviously the reliability of them is questionable). An attacker can easily obtain over 1 million breached credential pairs, complete with the email address and username, as well as instructions on how to use them from wherever they were procured from. Stage 1 completed.

Stage 2 – Prior to launching a full attack, the attacker will test the credentials against a wealth of other websites to validate as working. If you then think about habitual human behaviour I mentioned in this blog, of these 1 million credentials, according to the results from the research mentioned by the Virginia Tech University, 520,000 of those breached records are using the same username and password on multiple sites.

An attacker will typically have a 1% success rate when testing compromised credentials on site 1, that’s potentially 10K accounts that could work on that site. As already highlighted, there is a potential 52% chance that of these 10K accounts, the users are using the exact same credential pair over multiple sites. Essentially, the attacker could manage to find 10K accounts for one site that will work on other sites. That’s enough motivation to move onto stage 3. Stage 2 completed.

You can now understand why mass data breaches and habitual human behaviour both contribute to the rise in account takeover attacks and also making it easier for the attacker to execute them.

Stages 3, 4 and 5 however are more complicated, how can an attacker use this mass amount of credentials and avoid detection? How do they manage to target so many websites? We discuss this and how Netacea’s account takeover prevention solution can considerably reduce the time needed to detect and respond to the account takeover threat in the next and final part of our blog series.

Learn more about our adaptive machine-learning approach and sign up for an Account Takeover Trial, where you can access the Netacea Bot Management dashboard and test it on your live site.

    Account Takeover