What is an Account Takeover?
An Account Takeover (ATO) is a type of cyberattack where threat actors take ownership of online accounts using stolen credentials, such as passwords and usernames. Cyberattackers often purchase lists of credentials via the dark web. Credentials found on these lists were often obtained through social engineering tactics, data breaches, and phishing attacks. The threat actors use these credentials by deploying botnets and using machine learning (ML) to automatically access retail, travel, finance, ecommerce, and social media sites, to test the password and username combinations and attempt to login. Other automated ATO techniques used include:
Brute Force Attacks. Cyberattackers attempt to “brute-force” their way into an account through trial and error, trying different combinations of usernames and passwords until they find the right combination.
Credential Stuffing. Cyberattackers who successfully hack into one online account use those same credentials to log in to other accounts on other websites.
Cyberattackers also gain access to accounts through the following methods:
- Call Center Scams. Cyberattackers can often piece together enough personal information to gain access to victim accounts via call centers. Once the cyberattacker answers the personal questions allowing them to pass through a call center’s security, they can trick call center representatives into granting them account access.
- Phishing. Phishing attacks can be conducted through email, text messaging, and social media messaging, using deceptive techniques to trick people into giving out their usernames and passwords. They often contain links that lead victims to fake websites or malicious downloads.
- Man in the Middle (MITM) Attacks. A MITM attack involves a cyberattacker intercepting information as it is sent via the internet. These attacks are performed using malware or tools to create fake public Wi-Fi hotspots. When victims log in, the cyberattacker can obtain credentials that they use.
Cyberattackers who take over accounts may use them in the following ways:
- Finance. ATO attacks on bank accounts can drain their funds, send money to other bank accounts, and making cash withdrawals. Cyberattackers can also use the bank account to take out unauthorized loans or open new bank accounts under the account holder’s name. Additionally, they can take over credit card accounts, using them to buy products and gift cards online.
- eCommerce. eCommerce accounts that are taken over can be used to make small purchases with stolen credit card numbers (card testing). Many cyberattackers will drain the funds of gift cards and loyalty points balances or make unauthorized purchases with the payment methods on file.
- Social Media. Cyberattackers primarily use social media accounts for phishing attacks or to send spam. Some take over the accounts to damage the reputation of the account holders by posting offensive remarks or harassing other users on the platform.
- Gaming. ATOs on gaming platforms allow cyberattackers to sell valuable in-game virtual items, access stored credit cards, and to launch phishing attacks against other gamers.