Account takeovers (unauthorised logins) are one of the most widespread and consistent types of cyberattacks. According to a recent report by Sift, a digital trust and leader in online safety, account takeover attacks increased by 354% year-on-year in the second half of 2023.
Even well-established platforms, backed by the best security, aren't safe from account hacking. Last year, LinkedIn experienced a major account takeover campaign, where many users were locked out of their accounts. Some users were asked to pay a ransom to regain access, and others had their accounts entirely deleted.
Account takeover attacks can be highly damaging to businesses and customers. Knowledge of how they're carried out is half the battle when it comes to prevention. This article explains.
What is an account takeover (ATO) attack?
An account takeover, often called ATO, is where a cyber attacker gains unauthorised access to a user account, usually with malicious intent. They aim to take control of the account and do financial and/or reputational damage. Hackers often achieve account takeovers by illegally obtaining an account holder's login credentials.
Ten ways account takeover attacks are carried out
Cybercriminals are very creative in how they deceive their victims. Here are some of the main account takeover techniques used:
1. Phishing, spear phishing, whaling, and spoofing
These methods are essentially designed to trick users into revealing their login credentials or sensitive personal information through fraudulent messages or fake websites. There are some slight differences between them:
Phishing – any fraudulent email, SMS or phone call designed to trick recipients into revealing usernames, passwords and other personal information. Phishing can also be done through fake landing pages and malicious links.
Spear phishing – very similar to phishing attacks except the aim is to target a specific individual or group of individuals.
Whaling – highly personalised attacks on high-profile targets like executives and leaders within an organisation.
Spoofing – where cybercriminals impersonate well-known companies by using their name, usually with an altered (very similar) email address or domain.
2. Social engineering
Social engineering exploits trust. It involves using psychological manipulation tactics on people to get them to do something that compromises their online security. For example, sharing their personal information, downloading malicious software, visiting a dodgy website or transferring money to cybercriminals.
Some social engineering scams use AI to make them even more convincing. One real-life example is when the CEO of a UK energy firm transferred $243K to a 'Hungarian supplier' after believing he was speaking to his boss on the phone. In fact, AI-based software was used to impersonate his boss's voice, and the funds were delivered straight into the hands of scammers.
3. Brute force attacks
Brute force attacks are where attackers bombard an application with different combinations of password strings until one works and access is granted. It's a bit like a thief trying to break into a safe by trying all the possible code combinations. Even though automated tools like bots or computer programmes are used to generate and enter passwords repeatedly, this method isn’t all that efficient for hackers – it’s untargeted and time-consuming.
4. Botnets
A botnet is a whole network of interconnected computers that are infected by a hacker, usually through a virus. Once infected, the network turns into a zombie army, entirely under the hacker's control, where it can be used to attack even more devices or send fraudulent messages.
5. Data breaches
Data breaches are online security incidents where data confidentiality is leaked or compromised. Malicious actors first gain access to part or all of a customer database, where login credentials and other personal details are stored. In an account takeover, the stolen credentials are then used to access customer accounts.
6. Man-in-the-middle (MITM) attacks
This is where cybercriminals intercept data being transferred between a website and a user's mobile phone, tablet or computer. The interception occurs where delivery mechanisms or protocols aren't totally secure, e.g., SMS transmission has vulnerabilities, as do unsecured WiFi networks. Once the information is stolen, it can be used to gain unauthorised access to private accounts.
7. Malware
Malware is the term used to describe viruses and other malicious computer code programmed to infect and cause harm to a user's device(s). It can log keystrokes, record screens and even read, edit and copy authentication information from browser or device caches – and send the sensitive data to the malware programme owner.
8. Stolen cookies
Cookies often store login credentials and authentication tokens, saving users time when they next attempt to log into their applications. However, some hackers will try to access cookies to steal the credentials and illegally replicate the user's session on their own device. Thus enabling them to perform an account takeover.
9. Network sniffing
Also known as packet sniffing, this method captures data travelling over insecure networks. Public WiFi networks are an example – these are often unencrypted, meaning hackers can watch all online activity that passes through. If your business offers a public WiFi network for customers, it's vital to have firewalls and encryption protocols in place – and advise users to be cautious of the applications they're logging into while using your network.
10. Credential stuffing
Credential stuffing is where attackers extract entire lists of usernames and passwords from the data breach of one service or application and use them on other applications. The hope is that the same ID and password combinations work across different websites. This method specifically targets individuals who use the same credentials for all their online accounts.
Common targets of account takeover fraud
Any service or platform where cybercriminals can access valuable and sensitive data can experience ATO attacks. However, scammers often target financial institutions, eCommerce platforms, and social media websites. Here's why:
Banks and loan providers – they take control of victims' online accounts to steal funds.
Online stores – they hack into customers' accounts to steal stored credit card details and make unauthorised transactions.
Social media accounts – they take over a brand or individual's account for various reasons, including damaging brand trust and trying to trick the people who follow you into revealing personal information or transferring funds.
What are the consequences of account takeover?
Many cybercriminals are seeking financial gain when carrying out an account takeover attack. They may try to transfer funds from the target’s account to theirs or steal sensitive information to sell on the black market (where it could be used to conduct crimes). For victims, this leads to financial losses, inconvenience, stress and worry.
Messente's anti-fraud specialist, Karl Kalvik, explains further: "The consequences of having personal information stolen for identity theft are tremendously significant. It can take months after the event to clean up compromised accounts or restore a damaged credit file. Sometimes, stolen identities are used as cover for criminal activities, which can lead to victims being wrongly arrested and mistreated. All this can take its toll emotionally."
Sometimes, hackers want to sabotage a business or individual by disrupting systems or causing reputational damage, e.g. by taking over the victim's LinkedIn account and sending indecent content to their professional connections. Reasons vary, from personal vendettas and espionage to thrill-seeking – and, of course, monetary gain.
How to prevent ATO attacks
Fortunately, there are ways to prevent account takeover attacks from impacting your business and customers. Here are some of the best cybersecurity practices to follow:
Promote password hygiene – encourage customers and employees to use strong, unique passwords and change them regularly. There should be no reusing of the same password across multiple accounts.
Ensure business software is up-to-date – this is vital across all your systems, including CRMs and eCommerce platforms, to fix any rogue security vulnerabilities before problems occur.
Educate customers and employees – on how to identify and report phishing emails, text scams, suspicious links and other potentially malicious activities.
Monitor customer accounts – to detect any unusual activity that might suggest a successful account takeover attack.
Use advanced authentication methods – such as passwordless authentication with biometrics technologies, multi-factor authentication (MFA) and SMS two-factor authentication (2FA).
Use CAPTCHA for application logins – to challenge whether users are humans or bots. Also, set limits on the number of automated login attempts.
Keep yourself (and your IT team) updated – about the latest security threats and preventative measures or technologies.
Protect your customers from account takeover attacks
Account takeover fraud is a major problem for many businesses and their users, not least because there are so many ways this type of cybercrime can occur. The consequences of falling victim to an account takeover can be devastating, leading to financial losses, reputation damage and emotional trauma.
Understanding the different methods hackers use is essential in helping prevent account takeovers from happening in the first place. As is following robust online security practices like updating software, threat monitoring, encouraging strong passwords, and implementing newer user authentication models.
Consider adding SMS verification to your user authentication process. It's quick and easy for customers and is much safer than single-password login.
Start fortifying your defences today with Messente's SMS verification service.