On August 28th, Air Canada unveiled that it had suffered a massive data breach on its website between Aug. 22-24, 2018. The company noted that as many as 20, 000 customers could have been affected and that the compromised data include personal information including passport details. Air Canada was not the first victim of account takeover attacks. According to Javelin Strategy & Research’s 2018 Identity Fraud Study, account takeover tripled over 2017, reaching a four-year high. Total ATO losses reached $5.1 billion, a 120 percent increase from 2016.
Account takeover attacks are of two types: (1) Credential Cracking (2) Credential Stuffing. During a credential cracking attack (OWASP OAT – 007), attackers attempt to identify valid credentials by trying different values for usernames and/or passwords. In the event of a credential stuffing attack (OWASP OAT – 008), attackers attempt mass login to verify stolen credentials. For example, Air Canada data breach was a credential stuffing attack.
Symptoms of Account Takeover Attacks
|High number of failed login attempts|
|Elevated account lock rate|
|Increased customer complaints of account hijacking|
|Sequential login attempts with different credentials from the same HTTP client|
Account takeovers are performed on online businesses to verify the authenticity of stolen credentials and then sell validated credentials on dark web. After taking over accounts, fraudsters steal payment card details, and PII to later sell or reuse it for malicious purposes. Attackers also use hacked accounts to transfer payment, purchase goods, or spread propaganda.
Recently, we studied a distributed account takeover attack on a popular e-commerce firm. The case of this attack can give you an insider’s view on how account takeover attacks are executed. Let’s take a closer look at it:
This is a case of credential stuffing attack. The attack was executed using a combination of different techniques to bypass security measures while masquerading as genuine users. At first, the attackers planned to create a pool of 20,106 IPs distributed across 32 domains, 27 geographical locations, and 126 ISPs. They used unique referrers, user agents from different IP locations and maintained cookies to make the bots resemble human traffic. These bots also mimicked human-like mouse movements and keystrokes to masquerade as genuine users. With these attack methods, hackers were able to carry out 1033 unique URL hits and perform credential stuffing to take over user accounts.
Online businesses need to adopt various measures to avert account takeover attacks. WAFs and other conventional security measures identify and block bots using thresholds set on traffic from identified attack sources, for example, known botnet herders’ IPs. Such conventional defense systems are incapable to stop bots that mutate behavior and shift through thousands of IPs to commit account takeover attacks. We recommend following action plan to spot and prevent account takeover attempts: