How Massive Data Breaches Are Fueling Account Takeover Attacks

Account Takeover (ATO) attacks rank among the most damaging and insidious types of bot attacks. They result in fraud and loss of monetary and other forms of stored value such as store credits, gift cards, and loyalty points. This type of automated attack leverages lists of breached or stolen account credentials to take over user accounts on a wide range of websites and apps.

Along with phishing and social engineering tactics, credential stuffing (large-scale log-in attempts to verify the validity of stolen username and password combinations) and credential cracking (identifying valid log-in credentials by trying different usernames and/or passwords) are the most common methods used to carry out ATO attacks. Stuffing and cracking attacks take advantage of massive database breaches that expose millions of login credentials, as well as the propensity of many Internet users to reuse the same password(s) across several websites and apps. While consumers, in general, can do little to prevent massive data breaches arising from newly discovered vulnerabilities (as well as improperly configured or obsolete security systems), the poor security practices used by many account holders also contribute to the growing volumes of attempted ATO attacks we are witnessing.

With massive data breaches occurring ever more frequently, cybercriminals now have access to large publicly available databases that contain information that helps them take over accounts and commit fraud on a large scale. Over a billion individuals have had their personally identifiable information (PII) unethically or fraudulently exposed through theft, social engineering, and database breaches. One of the best-known websites that keep tabs on such breaches is Have I Been Pwned?, which provides a valuable (and free) service that informs its users in case their email IDs and associated passwords are found in lists of breached login credentials. The site currently lists 392 “pwned” or compromised websites, and a staggering 8,210,686,516 breached accounts in its database.

According to the Breach Level Index website, 3,353,172,708 confidential data records were compromised in the first half of 2018, a 72% increase over H1 2017. This works out to over 6,114,507 records every single day. When cybercriminals get access to these breached databases, they are in many cases able to associate users’ email IDs and account names with passwords. They often hit pay dirt when account holders use the same password across several sites, which makes ATO attacks easier and far more damaging.

In November 2018, the Marriott International hotel chain revealed that for over four years, Chinese hackers had breached its Starwood guest reservation database, and stole the personal information of up to 500 million users, including their names, addresses, phone numbers, email addresses, passport numbers, birth dates, gender, loyalty program account information, reservation information, as well as payment card numbers and card expiration dates for millions of users. This breach was the largest recorded breach of personal data after the gigantic breach which exposed all three billion Yahoo accounts.

In 2018, Exactis, a Florida-based data broker, announced that a database containing nearly 340 million individual records on a publicly accessible server had been breached. Totaling nearly 2 terabytes of data, the breach exposed personal information on hundreds of millions of American adults and millions of businesses, including phone numbers, home addresses, email addresses, personal characteristics (such as their interests and habits), as well as information about the age and gender of these individuals’ children.

Over the first half of 2019, our researchers observed a spate of attempted ATO attacks on some of our e-commerce customers. Most of them originated from a sophisticated botnet that our researchers have named “AuthBot” (as it only targets log-in and authorization pages). This botnet carried out a large number of distributed attacks using over 3000 cellular IP addresses to target multiple e-commerce website log-in URLs. It also infected mobile applications with malware and used tactics such as rotating through multiple User Agents and IP addresses after a certain number of hits to evade rate-limiting security measures. The sophistication of AuthBot is evident from its ability to mimic human behavior, run JavaScript, store cookies, and even spoof IP addresses.

AuthBot traffic on log-in pages on an e-commerce site (Q1 & Q2 2019)

As the sections marked by a broken line in the above graph indicate, AuthBot traffic on the log-in page greatly spikes on certain days when compared to the average log-in page traffic. Though correlation need not necessarily imply causation, these unusual spikes are evidence of attempted ATO attacks, based on our historical observations of log-in pages across our client base. If you’re a webmaster or security chief, you should be concerned if the traffic on your log-in page has inconsistent spikes such as those in the graph shown above.

For a detailed breakdown of how ATO attacks are crafted, read our article about How Distributed Account Takeover Attacks Knockout Online Businesses. For more information on how to mitigate ATO attacks, see Stopping Hackers Who Use ‘Low & Slow’ Attacks To Evade Security Systems. Subscribe to our Blog for more coverage on the battle against malicious bots.

Originally published at https://www.shieldsquare.com on August 22, 2019.