Time to see past the blind spots of account takeover 

Few cybersecurity threats worry today’s CISOs as much as account takeover (ATO) attacks. As many major brands have come to learn the hard way, even the most robust security controls are easily undone by customers recycling their passwords across multiple accounts.

Recent events underscore the critical need to address ATO vulnerabilities. Security researchers uncovered critical security flaws in ChatGPT plugins, exposing sensitive user data and raising concerns about the security of third-party integrations. Meanwhile, a recent surge in user complaints prompted U.S. state attorney generals to demand action from Meta regarding a "dramatic and persistent spike" in ATOs on Facebook and Instagram.

Both of these incidents highlight the potential for ATO attacks to occur on traditional platforms like social media, and also within the expanding ecosystem of productivity tools and AI-powered applications.

Decode the signals of ATO

Account takeover attacks represent the lowest of the low-hanging fruit for threat actors today. With more than 12 billion user credentials being actively marketed on dark web forums along with dozens of open-source tools for cracking accounts, the barriers for entry for aspiring hackers are negligible. That’s one of the reasons why according to a recent study by Javelin and AARP, 22% of U.S. adults were victims of ATO last year, resulting in more than $13 billion in losses. 

While stolen credentials are easy to find on the dark web, manually testing them presents a tedious and time-consuming process. That’s where bots come in. Threat actors have weaponized bots to automate large-scale ATO attempts. A new generation of sophisticated bots can mimic human behavior by filling out login forms, solving CAPTCHAs, and even bypassing basic two-factor authentication measures. This automation significantly increases the efficiency of ATO attacks, allowing criminals to test and validate vast numbers of stolen credentials in a fraction of the time it would normally take.

Meanwhile, open-source pentesting tools like OpenBullet, take it a step further. Threat actors leverage these tools by customizing configuration files to target specific websites, enabling the automated input of stolen credentials into login forms at scale.

Security teams find the fragmented nature of warning signals across different departments one of the most challenging aspects of ATO attacks. While the network security team might receive alerts from a bot mitigation engine indicating suspicious activities, the application security group could observe unusual patterns through the web firewall. This division creates a scenario where signals indicative of a potential ATO attack are dispersed across various units within the organization, each observing only a fragment of the broader threat landscape.

Moreover, these signals are not static; they evolve downstream into varied forms such as fraud alerts or specific behavioral patterns associated with the attack tactics. Typically, attackers follow a programmed sequence of actions upon gaining unauthorized access to an account, which might include credential washing and reconnaissance activities to assess the value of the compromised account. These steps are meticulously planned and executed, making the detection based solely on internal signals all the more challenging.

Three early detection tips

Speed is of the essence when it comes to detecting and stopping bad actors from taking over legitimate user accounts. To protect user accounts and the company’s bottom line from ATOs, consider the following strategies:

While we can offer no real silver bullet for preventing ATO attacks, security teams can certainly reduce the chances by applying some of these ideas and work to beat the bots at their own game.

Nick Rieniets, Field CTO, Kasada