Account Take Over attacks hijack user’s accounts for the criminals’ purposes. All accounts are at risk, but attacks against retail accounts have recently spiked. What’s behind this selective targeting?
Retail Under Attack
A 2020 report by Akamai, the content delivery network and cybersecurity provider, claims Account Take Over (ATO) attacks have increased in the retail sector by over 40 percent. They say that 60 percent of credential stuffing attacks in the last 24 months were aimed at retail, hospitality, and travel businesses. By a huge margin—an astonishing 90 percent of these attacks—retailing is bearing the brunt of this cyber offensive.
These figures correlate with findings by Ravelin, a fraud prediction and detection company with strong interests in retail. Ravelin released a report in 2020 concentrating on online merchants and e-commerce. The report revealed that 45 percent of online retailers are seeing more frequent ATO attacks and that this type of fraud is now their biggest fraud risk.
The COVID-19 global pandemic has played a part in this unwanted attention from cybercriminals. The stay-at-home, work-from-home periods of lockdown drove an increase in online purchasing. It was the only way you could buy most items, especially anything categorized as non-critical. For some consumers, it was their first foray into online shopping. Established online shoppers made a greater number of purchases, often from vendors they had not previously used. In fact, 2020 saw record levels of online commerce.
Victims of Their Own Success
Over 50 percent of the respondents in Ravelin’s report experienced a positive or very positive impact on sales because of the pandemic. More customers and more users is a good thing of course, but it does come with some baggage. New users who are dipping a toe into e-commerce for the first time and long-established users with a lot of accounts to juggle both tend to use weak passwords.
Weak passwords are easily cracked by increasingly intelligent brute-force attack software. These packages are no longer restricted to working their way through a long list of dictionary words and trying them one by one as passwords. They can combine words with numbers and dates, and they understand all of the common number and letter substitutions.
They can also use the lists of breached passwords from other sites. If a password you use happens to be in that list—whether it came from one of your accounts or from someone else’s account that happened to use the same password—the credential stuffing software can log in as though it was you.
Login credentials may also be harvested by phishing attacks or other social engineering-based methods, which new users are more likely to accept as genuine and to fall for. So the more users you have, the more likely it is that some of them will fall foul of a phishing attack.
How Compromised Accounts Are Monetized
Cybercriminals rarely do what they do for fun. Like all criminals, they seek to profit from their activities. They need to monetize the attacks to make money from them. A compromised account gives them many options. A compromised corporate account can be used to mount phishing campaigns, exfiltrate private or sensitive company information, or use the associated business email account to conduct different types of fraud.
A compromised user account on a retail platform is very different, but there are still many ways the threat actor can generate a profit.
- Credential Sale: They may sell the details of the breached account on the Dark Web. They will sell it as a verified account. This means they have proof, usually a screenshot, that shows they have been able to log in to that account using the credentials that they are selling.
- Place Fraudulent Orders: They may place orders for goods using stored credit card details, loyalty points, or using lines of credit that may have been extended to that account.
- Sell Personal Data: They may extract all of the information contained in the user’s profile—address, contact details, and payment card details—and sell that parcel of information on the Dark Web.
- Use Stolen Card Details: Attaching stolen credit card details to a compromised account allows the cybercriminal to use the card for purchases under the camouflage of the genuine user’s account.
- Clone the Account: A threat actor can delete the compromised account and create a new account using the details they extracted from the original. This gives them complete control of the new account. The new account will have a different user ID and account ID making it difficult for the genuine user and the retailer’s technical support to find and block the cloned account.
If the threat actor is going to make fraudulent purchases they will likely change the password to lock out the genuine user. This prevents them from seeing exactly what is happening in their account and requires an often long-winded verification process with the retailer’s technical support to get the password reset.
If the threat actors are going to sell the account login details or the personal information of the user, they will not place orders or make changes to the account details. They don’t want to alert the user that their account has been compromised.
Sometimes the criminals will change only the delivery address and the contact cellphone number. This is because they don’t want the goods to go to the real account owner’s address and because the cellphone number is often given to the delivery driver. The driver will use it to ask for directions if they can’t find the address and the retail system will send SMS text alerts to the phone as the order is progressed through the system.
What Retailers Can Do
These steps will help to protect you against ATO attacks.
- Enumerate Account Types: Always, start by quantifying what you need to protect. All of the account types that you provide should be identified and categorized. The risks associated with the different account types may differ from account to account. Plans and responses that can mitigate the risk should be created. Capture the departments and teams and other stakeholders who are invested in the different account types.
- Recognize Possible Indicators of Attack: This requires joined-up thinking on the part of the stakeholders and it might require top-up training for technical staff. For example, many login attempts on an account may indicate that the account is being targeted. It might be that the user has forgotten their password, but it might be a genuine attack. According to the type of account and the identified risk associated with a compromised account of that type, the appropriate response should be enacted. That could be as simple as locking the account and contacting the account owner.
- Set Login Attempt Limits: Restrict the number of failed login attempts that can be made before the account is locked out and a warning raised.
- Adopt Technical Solutions: Consider systems such as Intrusion Detection Systems that can automate the detection of indicators of attack, perform remedial action, and send alerts to your security or fraud team.
- Two-Factor Authentication: Two-factor authentication (2FA) is a robust way to secure accounts. It requires the user to know their ID and password and to have some other item in their possession, usually an authentication app on their smartphone. Two-factor authentication should be used wherever possible.
- Educate Users: Create and send informative emails to users. Cover topics such as the current threats, latest fraud trends, and the course of action they should take if they think their account is compromised or under attack. You can also use these service emails to try to avoid cyberfriction—the push-back you get when a security improvement changes a workflow or introduces an extra step. For example, two-factor authentication. You need to plan how you are going to promote the new security requirement so that it is understood and adopted by your userbase. If the users don’t embrace it and use it, you may as well not provide it.
- Install Fraud Prevention Software: Software defenses are available that can recognize suspicious patterns of behavior and lock down accounts before an attacker can commit any harm.
Don’t forget the basics. Annual security audits, policy reviews and walk-throughs, incident plan rehearsals, penetration tests, and staff awareness training should all continue.