top of page
  • Writer's pictureNox90 Engineering

Free Account Abuse Attacks – A Growing Problem for the New Online Economy

For a vast amount of SaaS companies, free trials and accounts are the way they attract the majority of their users. While this makes sense in terms of reducing friction for their consumers, it also leaves them vulnerable from a security perspective. Account takeover (ATO) attacks are a growing problem in the online economy, as any business that has suffered the financial and reputational damage associated with security breaches can attest to.

Much of this isn't new. Criminals have been using malware to steal account information for years. However, as customers become comfortable sharing more and more information online, the breadth and sophistication of these attacks are growing.

What Are ATO Attacks?

Account takeover is a kind of identity theft that targets a user's phone number, SSI number, identity documents, or personal financial details, and so on. These attacks are most financially motivated by the ability to use these details to take out loans, make purchases, or to be sold on to other criminals on the black market.

Common ATO Techniques


Phishing attacks happen when a criminal uses a fake login page or email to trick the consumer into providing personal information.

Spear Phishing

Similar to phishing, but these attacks are targeted at an individual.

Social Engineering

An attacker uses social media or other online information to find out the victim's friends or family's names and uses that information to guess their password.

Credential Stuffing

The attacker uses information stolen for one website in a previous hack or data leak and uses those credentials to log into accounts for different sites.


Using bots, attackers can perform brute force attacks that guess passwords or take over accounts on a website.

How ATO Attacks Work

Firstly, the attacker will use phishing, malware, or password dumps to steal either user names, emails, passwords, or logins for any number of online sites.

Once the attacker has this information, they can attempt different types of fraud. In the case of an ATO of an e-commerce store, the criminal could, for example, lock the account out, change the shipping address and order many items.

Of course, ATO attacks are not limited to e-commerce shops. Any website that hosts customer data is useful to these criminals and is therefore vulnerable to attack, including a bank account.

Common ATO Targets

Typically, ATO attacks are motivated by a financial gain on the part of the hackers. The four most common areas that they target are:

Retail Accounts

E-commerce stores contain lots of information that is useful to hackers. Bank details, home address, date of birth, and other personal information are all available, making them a particularly valuable target.

In addition to this personal information, the bulk of ATO retail attacks will involve the attacker making unauthorized purchases.

Gift Card Accounts

Gift card accounts are a favorite target for attackers as they can quickly charge the account holder's card and use gift cards for goods or services.

Streaming Accounts

Streaming accounts like Netflix have become a target for hackers, often with the motive to sell on the login or use it themselves.

Online Currencies

While criminals usually prefer cash, online currencies have become a more popular target in recent years. Airline and hotel award programs, alongside other forms of discounts or tokens, are some of the more popular targets.

The Scale of ATO Attacks

Guessing passwords is hard, so how do ATO attacks manage it? The answer is scale. Because the probability of guessing a single password is low, ATO attacks use vast amounts of bots to try and guess the administrator password. They employ a complicated and sophisticated range of methods, all with the intent of bamboozling the present security solutions.

What Do ATO Attackers Look For?

Hackers who want to perpetrate attack takeovers are always looking for even the tiniest vulnerability. Some of the leaks they can exploit are:

· Accounts with valid email addresses

· Weak passwords or passwords they have gotten from other cracks or leaks

· Sites that don't have a web application firewall (WAF).

What is a WAF?

As mentioned above, a web application firewall is a firewall for HTTP applications. It checks HTTP traffic before it reaches your website and filters and blocks and malicious use. Because it monitors the traffic before it reaches your server, it can filter out attacks that might compromise your data or website.

As SaaS companies begin to take over more of the market with web application emails, hosting, and software, application-layer attacks have become favored by criminals. These applications are a treasure trove of user data, personal information, and financial details, making them a desirable focus for internet criminals.

Some of the malicious attacks that WAF can protect you from are:

SQL Injection: A hacking technique use to steal information or corrupt a database

Cross-site scripting: This involves attackers injecting a malicious script into a trusted website, which can then feedback back sensitive information of browsing users

Malicious file extension: The file extensions allow attackers to execute code after a super accepts or installs a malicious file

Each of these attacks can be catastrophic for your website. While they can be used to affect the performance and functionality of your website, frequently, they aim to breach or compromise your database to extract personal and financial details.

How Signal Science Can Protect You Against ATO

Signal Science's Account Takeover Protection sits in front of web applications and analyses HTTP traffic both ways, discovering and preventing malicious or unauthorized traffic, including free accounts that have been made to appear like legitimate consumers.

By automatically monitoring app and API logins for unusual behavior, Signal Science can prevent fraudulent account creation and detect suspicious activity like password resets, credit card authorization, delivery address changes, and other hallmarks of ATO criminality.

By inspecting incoming and outgoing HTTP information and checking it for unusual behaviors, ATO defense can protect your company from credential stuffing attacks, data breaches, and other reputation-damaging cybersecurity attacks.

21 views0 comments

Recent Posts

See All


bottom of page