Common signs of account takeover campaigns

November 11, 2020

With more business-to-consumer, business-to-business, and even consumer-to-consumer transactions done over the internet, online accounts have become all the more tantalizing to cybercriminals. In an account takeover (ATO), a hacker assumes unauthorized control over someone else’s account to commit fraudulent transactions (e.g., eCommerce purchases and bank account withdrawals), data theft, and corporate sabotage.

There are five common ways online crooks try to hijack accounts. Protect your business by familiarizing yourself with the telltale signs of these account takeover methods.

Method 1: Credential stuffing
Wave after wave of data breaches gave rise to a compendium of access credentials for fraudsters to exploit. Since users tend to reuse usernames and passwords for convenience, stolen credentials for one account may lead to access to other accounts as well. This is one of the top things that hackers hope for when launching a credential stuffing campaign.

Instead of manually entering access credentials one account at a time, hackers build bots that automatically do this for them across thousands of accounts in a network or platform. And since security systems can now identify when login attempts spike from a single source, cybercriminals employ multiple proxies, compromised devices, and unsecure servers to make it seem that the login attempts are coming from different places. This makes credential stuffing more difficult to recognize using traditional security methods and that much harder to trace.

Credential stuffing red flags:

Login attempts spike up frequently and abnormally
Logins using invalid usernames and/or passwords increase
Unusual network traffic spikes
Login page bounce rates shoot up

Method 2: Credential cracking
This is similar to credential stuffing, except that only one personal or business account is targeted. A hacker will launch a brute force attack to guess or “crack” the password for that account.

Credential cracking red flags:

Unusually high count of failed login attempts
Similar variations of usernames and passwords are used in succession
Instances of an account being locked shoot up
Users complaining that their accounts have been hijacked

Method 3: Malware or replay attacks
Here, a hacker will infect a user’s machine with malware. One type of malware will capture access credentials and transmit it to the fraudster, while another type will launch a replay attack. In this attack, the malware will copy the HTTP data of a valid (and signed-in) user session, then retransmit an altered version of the data to allow the hacker to have their own session posing as that user. For example, a quick bank account balance check online can enable a fraudster to open the webpage to make a wire transfer.

Malware/Replay attack red flags:

Logins from considerably distant geolocations in a short span of time
Complaints about unauthorized transactions and fund transfers
User sessions with atypical latency
User session events don’t have unique page request IDs (i.e., the IDs were from previous sessions)

Man-in-the-middle (MITM) attacks
In this attack, the hacker comes between a user and the entity that user is contacting. The fraudster diverts the user to a page that the former controls, which is usually a spoofed login page. Once the victim provides their account credentials, the hacker will access that account and do what they please with it. Oftentimes, they’ll lock out legitimate users out of their own accounts.

Red flags that a place is primed for MITM attacks:

Public or open Wi-Fi networks
Wi-Fi networks with names that don’t look right
Multiple Wi-Fi networks in the same location share similar names (one may be a hacker’s)

Red flags that your connection is already compromised by an MITM attack:

Things you usually don’t encounter suddenly appear:
- Fake software update pop-ups
- Dialog boxes asking for your access credentials
- Certificate error messages
Something off or suspicious about the login page you arrived at

Social engineering
Fraudsters will pretend to be a legitimate entity the victim has current dealings with, such as a bank or a corporate partner. They’ll send an email that urgently tells the victim to perform an action, such as review an unauthorized payment or pay a missed invoice. And just like in the MITM-based account takeover, the victim will be led to a spoofed login page where they’ll unwittingly hand over their credentials to hackers.

Social engineering red flags:

Text messages and emails that ask recipients for immediate assistance or donations
Emails that ask recipients to verify something about their account
Emails that appear to be answering a question you never even asked
Text messages asking for users to reply with one-time passcodes they have received

Phishing and social engineering emails are two of the most common ways fraudsters initiate ATOs. To keep your business accounts safe from email-based threats, rely on [company_short]. Get to experience our cutting-edge email security service for yourself by signing up for our FREE demo.

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.

Get a Demo of Graphus