On August 28th, Air Canada unveiled that it had suffered a massive data breach on its website between Aug. 22-24, 2018. The company noted that as many as 20, 000 customers could have been affected and that the compromised data include personal information including passport details. Air Canada was not the first victim of account takeover attacks. According to Javelin Strategy & Research’s 2018 Identity Fraud Study, account takeover tripled over 2017, reaching a four-year high. Total ATO losses reached $5.1 billion, a 120 percent increase from 2016.
Account takeover attacks are of two types: (1) Credential Cracking (2) Credential Stuffing. During a credential cracking attack (OWASP OAT – 007), attackers attempt to identify valid credentials by trying different values for usernames and/or passwords. In the event of a credential stuffing attack (OWASP OAT – 008), attackers attempt mass login to verify stolen credentials. For example, Air Canada data breach was a credential stuffing attack.
Symptoms of Account Takeover Attacks
|High number of failed login attempts|
|Elevated account lock rate|
|Increased customer complaints of account hijacking|
|Sequential login attempts with different credentials from the same HTTP client|
Intent Behind Account Takeovers
Account takeovers are performed on online businesses to verify the authenticity of stolen credentials and then sell validated credentials on dark web. After taking over accounts, fraudsters steal payment card details, and PII to later sell or reuse it for malicious purposes. Attackers also use hacked accounts to transfer payment, purchase goods, or spread propaganda.
Analysis of Distributed Account Takeover Attacks
Recently, we studied a distributed account takeover attack on a popular e-commerce firm. The case of this attack can give you an insider’s view on how account takeover attacks are executed. Let’s take a closer look at it:
This is a case of credential stuffing attack. The attack was executed using a combination of different techniques to bypass security measures while masquerading as genuine users. At first, the attackers planned to create a pool of 20,106 IPs distributed across 32 domains, 27 geographical locations, and 126 ISPs. They used unique referrers, user agents from different IP locations and maintained cookies to make the bots resemble human traffic. These bots also mimicked human-like mouse movements and keystrokes to masquerade as genuine users. With these attack methods, hackers were able to carry out 1033 unique URL hits and perform credential stuffing to take over user accounts.
Recommendations: How Enterprises Can Shore Up Their Security Against ATO Attempts
Online businesses need to adopt various measures to avert account takeover attacks. WAFs and other conventional security measures identify and block bots using thresholds set on traffic from identified attack sources, for example, known botnet herders’ IPs. Such conventional defense systems are incapable to stop bots that mutate behavior and shift through thousands of IPs to commit account takeover attacks. We recommend following action plan to spot and prevent account takeover attempts:
- Constantly monitor traffic sources and restrict login attempts per session/user/IP address/device.
- Develop competencies to detect automated behavioral patterns of users and deploy systems that can detect the intent of automated traffic distributed across multiple sessions and sources.
- Building an accurate bot detection engine is a tightrope act. If you try to eliminate false negatives, you end up with few false positives — and vice versa. Lack of historical labeled data is one of the major concerns for an accurate detection system. The best approach for an organization that is trying build an ML powered automated bot management solution, is to create a closed-loop feedback system that dynamically improves the machine-learning models based on signals collected directly from end users’ behaviors.
- Monitor and restrict social media login. Ensure that users have unique passwords, and educate users about password re-use to prevent credential stuffing and credential cracking attempts.