Free Account Abuse Attacks – A Growing Problem for the New Online Economy
For a vast amount of SaaS companies, free trials and accounts are the way they attract the majority of their users. While this makes sense in terms of reducing friction for their consumers, it also leaves them vulnerable from a security perspective. Account takeover (ATO) attacks are a growing problem in the online economy, as any business that has suffered the financial and reputational damage associated with security breaches can attest to.
Much of this isn't new. Criminals have been using malware to steal account information for years. However, as customers become comfortable sharing more and more information online, the breadth and sophistication of these attacks are growing.
What Are ATO Attacks?
Account takeover is a kind of identity theft that targets a user's phone number, SSI number, identity documents, or personal financial details, and so on. These attacks are most financially motivated by the ability to use these details to take out loans, make purchases, or to be sold on to other criminals on the black market.
Common ATO Techniques
Phishing attacks happen when a criminal uses a fake login page or email to trick the consumer into providing personal information.
Similar to phishing, but these attacks are targeted at an individual.
An attacker uses social media or other online information to find out the victim's friends or family's names and uses that information to guess their password.
The attacker uses information stolen for one website in a previous hack or data leak and uses those credentials to log into accounts for different sites.
Using bots, attackers can perform brute force attacks that guess passwords or take over accounts on a website.
How ATO Attacks Work
Firstly, the attacker will use phishing, malware, or password dumps to steal either user names, emails, passwords, or logins for any number of online sites.
Once the attacker has this information, they can attempt different types of fraud. In the case of an ATO of an e-commerce store, the criminal could, for example, lock the account out, change the shipping address and order many items.
Of course, ATO attacks are not limited to e-commerce shops. Any website that hosts customer data is useful to these criminals and is therefore vulnerable to attack, including a bank account.
Common ATO Targets
Typically, ATO attacks are motivated by a financial gain on the part of the hackers. The four most common areas that they target are:
E-commerce stores contain lots of information that is useful to hackers. Bank details, home address, date of birth, and other personal information are all available, making them a particularly valuable target.
In addition to this personal information, the bulk of ATO retail attacks will involve the attacker making unauthorized purchases.
Gift Card Accounts
Gift card accounts are a favorite target for attackers as they can quickly charge the account holder's card and use gift cards for goods or services.
Streaming accounts like Netflix have become a target for hackers, often with the motive to sell on the login or use it themselves.
While criminals usually prefer cash, online currencies have become a more popular target in recent years. Airline and hotel award programs, alongside other forms of discounts or tokens, are some of the more popular targets.
The Scale of ATO Attacks
Guessing passwords is hard, so how do ATO attacks manage it? The answer is scale. Because the probability of guessing a single password is low, ATO attacks use vast amounts of bots to try and guess the administrator password. They employ a complicated and sophisticated range of methods, all with the intent of bamboozling the present security solutions.
What Do ATO Attackers Look For?
Hackers who want to perpetrate attack takeovers are always looking for even the tiniest vulnerability. Some of the leaks they can exploit are:
· Accounts with valid email addresses
· Weak passwords or passwords they have gotten from other cracks or leaks
· Sites that don't have a web application firewall (WAF).
What is a WAF?
As mentioned above, a web application firewall is a firewall for HTTP applications. It checks HTTP traffic before it reaches your website and filters and blocks and malicious use. Because it monitors the traffic before it reaches your server, it can filter out attacks that might compromise your data or website.
As SaaS companies begin to take over more of the market with web application emails, hosting, and software, application-layer attacks have become favored by criminals. These applications are a treasure trove of user data, personal information, and financial details, making them a desirable focus for internet criminals.
Some of the malicious attacks that WAF can protect you from are:
SQL Injection: A hacking technique use to steal information or corrupt a database
Cross-site scripting: This involves attackers injecting a malicious script into a trusted website, which can then feedback back sensitive information of browsing users
Malicious file extension: The file extensions allow attackers to execute code after a super accepts or installs a malicious file
Each of these attacks can be catastrophic for your website. While they can be used to affect the performance and functionality of your website, frequently, they aim to breach or compromise your database to extract personal and financial details.
How Signal Science Can Protect You Against ATO
Signal Science's Account Takeover Protection sits in front of web applications and analyses HTTP traffic both ways, discovering and preventing malicious or unauthorized traffic, including free accounts that have been made to appear like legitimate consumers.
By automatically monitoring app and API logins for unusual behavior, Signal Science can prevent fraudulent account creation and detect suspicious activity like password resets, credit card authorization, delivery address changes, and other hallmarks of ATO criminality.
By inspecting incoming and outgoing HTTP information and checking it for unusual behaviors, ATO defense can protect your company from credential stuffing attacks, data breaches, and other reputation-damaging cybersecurity attacks.