Account takeover fraud… and how to avoid falling victim

Account takeover fraud… and how to avoid falling victim

Anthony Daniel, Regional Director – Australia, New Zealand and Pacific Islands, WatchGuard Technologies, tells us how cybercriminals exploit victims through account takeover fraud.

Anthony Daniel, Regional Director for Australia, New Zealand and Pacific Islands, WatchGuard Technologies

Cybercriminals target their victims in many different ways, and one of the lesser-known methods is account takeover fraud (ATF).

ATF is not new, but it’s a tactic that is being used more aggressively. Back in 2018, it caused estimated losses of around US$4 billion across the globe. During 2021, this figure rose by more than 200% and, as of today, it is estimated to be more than US$12 billion.

One of the methods used to mount such an attack is deceptively simple, yet the impact on a victim can be profound. It involves hijacking an account before a user has actually registered it.

For example, an attacker can create a new account on a service such as Dropbox or Zoom using a victim’s credentials that have been stolen from another source. When the user themselves attempts to create a legitimate account, they are told that one in their name already exists. They are prompted to reset the password, however the cybercriminal maintains access.

This type of cyberattack requires a number of factors to occur: 

  • The account must not have already been created by the user with the ID that is used; 
  • The cybercriminal needs to have acquired some form of legitimate user identification, such as an email address or a phone number;
  • There must be a flaw in the setup process that allows an account to be created without needing to be verified.

It’s important to recognise that an attacker does not have to have access to a victim’s email account or mobile phone to successfully carry out this type of attack. There simply has to be no previous account on the service in the victim’s name.

There are a range of methods that cybercriminals can use to mount an account takeover attack. They include:

  • Unexpired session ID attack:In these types of attacks, the cybercriminal generates a new account using a victim’s email address as an identifier. When the victim tries to create an account, they are notified that it has already been created and are prompted to change their password. However, this does not prevent the attacker from continuing to gain access as the service allows multiple simultaneous sessions.
  • Trojan identifier attack:
    This method involves an attacker generating an identifier on the new account, and then creating a secondary login with real customer data, such as an email address or phone number. Even if the victim tries to log in by recovering their password, the attacker will remain active in the account as a trojan.
  • Non-verifying IdP attack:
    These types of attacks involve cybercriminals creating their own identity provider (IdP) and opening an account using its federated path. They then add a user by using that user’s email address. When the victim then tries to create an account, the system reminds them that it already exists. When recovering their password, the attacker gains access through the federated account.
  • Unexpired email change attack:
    Using this method, a cybercriminal generates an account using the victim’s email address without waiting for verification and then changes it to another one under their control. Then, if the victim tries to create an account, the attacker takes control of it before the email change process is completed.
  • Email verification trick:
    Many online services do not allow an account to be created without verification by email. In this method, an attacker creates the account using an email address that is under their control, and then takes advantage of the ‘change email’ function by entering the victim’s email address. Therefore, when the user wants to create an account, they can start the change process but the attacker will have already compromised it.

Protecting against attacks 

The most effective way to protect against these types of attacks is by implementing a strong multi-factor authentication (MFA) system. These systems explicitly identify users via an additional personal device such as a mobile phone or token.

It is also important for users to be aware of the tactics that are being used and the dangers of simply requesting a password change to an existing account when they can’t remember establishing it in the first place. As with any online activity, being vigilant at all times is key. 

Browse our latest issue

Intelligent CISO

View Magazine Archive