Account Take Over (ATO) is a topic that is unfortunately common to us, and we often think of it as something very complex to carry out, but it is actually a group of techniques used by criminals to gain unauthorized access to bank accounts, digital wallets, emails, credit cards, whatsapp accounts, and so on, without authorization.
Attackers use various mechanisms to carry out ATOs, including phishing, social engineering, exploitation of vulnerabilities, use of malware and use of leaked or stolen passwords.
In this article, we will explore tactics and techniques used by attackers to steal accounts and ways in which individuals, businesses and fraud prevention teams can protect themselves. Let's first look at how attackers proceed, separated by target of attack into two groups:
A. Direct attack on the victim:
- Phishing: Attackers send spoofed emails or messages to users in order to trick them into entering personal information, login credentials or financial information on fake websites that appear legitimate. The emails may appear to come from legitimate sources, such as banks or digital wallet companies.
- Smishing: Similar to phishing only via text messages (SMS) instead of emails. The goal of smishing is to trick the victim into revealing personal information, financial information or login credentials through forged text messages that appear legitimate.
- Social engineering: Attackers seek to manipulate users into revealing sensitive information, such as passwords or two-factor authentication (2FA) data, by using tactics such as persuasion or intimidation, usually carried out through phone calls with arguments such as prizes, erroneous transfers or posing as government agencies. Fraudulent emails and SMS are also social engineering techniques.
B. Attack on the organization that stores the victim's data, where an employee or a collaborator can also be affected by phishing or social engineering with the purpose of extracting corporate data:
- Exploitation of vulnerabilities: Attackers can exploit vulnerabilities in software or hardware, even abuse logical flaws such as bypassing authentication or authorization mechanisms to, for example, make transfers from a third party's account.
- Leaked or stolen passwords: Attackers can obtain leaked or stolen passwords through data breaches or by using third-party websites that do not adequately protect user passwords. This, linked to bad practices such as using the same password for everything, means that when credentials are leaked on one site, those same credentials can be used in other companies, gaining access with the correct user and password but without authorization.
C. A special section is necessary for malicious code since its scope is much more comprehensive since when the same actor manages to infect several devices it can form a botnet, let's see some examples:
- Computers: Computer malware has the longest history, and we can mention Zeus, SpyEye or Emotet as iconic with many years and variations, these were embedded in programs pirated in unofficial sites or dispersed in office documents via email, in order to capture credentials, banking data, and sensitive information. Attackers are at the forefront, so they keep updating their infection mechanisms, such as the distribution of Mekotioq requesting payments to the government via e-mail or the recent unlimited access or download of ChatGPT for Windows.
- POS: Point-of-sale terminals are small computers, so they are not immune to attacks from which attackers seek to copy card data. Among the malware for these devices, we can mention PunkyPOS, which is already a few years old, or Prilex, which merited a purple alert from Interpol and communication from CONDUSEF.
- Mobile: There is malware for smartphones that can steal financial and personal information, such as WireLurker for iOS and the Android version of Zeus
- ATMs: In the case of ATMs, most malware seeks to arbitrarily dispense cash, as in the case of Ploutus, for example. However, there are techniques to copy card data both in the door opening mechanisms and directly in the device, this technique is known as Skimming and does not necessarily require malicious code in the ATM.
Now that we know some of the means attackers use to take over accounts, let's briefly analyze the impact:
- 700% increase in card copying during the first half of 2022.
- 72% of passwords leaked on the dark web were captured by botnets.
- 99.2% of login attempts are made by automated tools (bots).
This means that both individuals and institutions must be aware of this problem and jointly adopt protection mechanisms. Both individuals and organizations must take steps to prevent accounts from being stolen and protect customers from losing their money.
How do we protect ourselves personally?
- Use strong passwords: Strong and unique passwords for each platform are an effective way to protect yourself. Passwords should be complex and difficult to guess, but easy for us to remember. It is not necessary to remember all passwords, there are password managers.
- Two-factor authentication (2FA): Two-factor authentication provides an additional layer of security by requiring an additional verification code in addition to the password. This makes it more difficult for attackers to gain access to the account since in addition to something you know (password) you need something you have (2FA) to gain access to the account.
- Email verification: Many bank accounts and digital wallets offer an email verification option to ensure that the user is the legitimate owner of the account and even alert new logins. Check if the organization you have your account with has this feature and enable it to receive alerts about new logins and ensure that you are the legitimate owner of the account
- Do not share personal information: Never disclose personal or financial information to strangers, whether in person, over the phone, or via any electronic means. Make sure you communicate with the person if you know them or with the entity that is offering you the prize or requesting information.
- Devices: Keeping all the programs and operating systems of your computer and phone updated is not enough, try to strengthen the security mechanisms with a reliable antivirus, avoid downloading pirated programs, connecting to public wifi, and downloading attachments from unknown e-mails.
Companies must also implement measures to protect themselves. Some of these measures include
- Training and awareness: It is important that employees are trained and made aware of cybersecurity risks and know how to identify and report possible information theft attempts. It is the main link in defense-in-depth mechanisms since it covers all layers.
- Suspicious activity monitoring: Companies should regularly monitor activity on their accounts and systems to detect any suspicious or unusual activity. Automated alerts and notifications can help detect intrusion attempts by brute force attacks or multiple authentication attempts in real time.
- Two-factor authentication (2FA) implementation: Two-factor authentication is an effective measure to protect company accounts and as an additional security value for the customer.
- Password management: It is advisable for companies to implement password management policies, as well as to request secure passwords, both for internal systems and for customer authentication. Periodic password rotation and limiting failed login attempts are additional mechanisms to protect both employees and customers.
- Vulnerability assessment: It is advisable to have periodic vulnerability assessments, which does not mean running a Nessus against the domain only, deep code analysis, logical flaws, and ethical hacking tests can strengthen the organization.
- Malware protection: It may even sound trivial, but many small to mid-sized organizations consider anti-malware to be for large enterprises and very expensive. Regardless of the size of the organization and the operating system they use on their machines (even Linux or Mac), it is advisable that they possess some solution to prevent infection with malware.
- Data analysis: Fraud prevention teams can use data analysis tools to detect customer patterns and behaviors, such as devices from which they usually access, IP addresses, locations, etc. These are data points that are usually collected during the origination process but are rarely monitored according to user behavior.
Learn how Trully can help you effectively attack fraud and identity theft by combining Machine Learning and Artificial Intelligence tools to detect fraudsters. If you want to know more, here are the details.
Author: Eric Balderrama - CISOLawyer expert in cybersecurity, with extensive experience in preventing digital fraud in the banking and financial sector in Latin America. Tireless fighter against identity theft and account take over.