Why attackers try to take over user accounts

Account takeovers (ATOs), also known as “account hijacking,” are a type of fraud that’s on the rise these days! This type of attack is attractive to hackers due to the financial return and the ease of such an attack: user account takeover is relatively low cost and has a high success rate. Additionally, there are many means to make money off an account that has been taken over, or in using it to perform more advanced attacks. Consequently, for your users, by taking over their account and changing your account profile information, the attacker is making it nearly impossible for them to regain control.

If your user accounts contain valuable information, such as financial data or even just a wider range of privileges in your application, this makes them vulnerable to attacks like these.

As a security owner, you have to safeguard your users from different types of user account takeover attacks. Engineers use up lots of time to deal with other types of attacks, but account takeover attacks are equally important.

In this post, I’ll explain what ATOs are, why they occur, their impact, methods used, and how to avoid them.

What are user account takeover attacks?

Attacks that allow a hacker to have unauthorized access over a user’s online accounts are known as ATO attacks.

In basic terms, if your account on a web service has been hacked, you most likely are a victim of an ATO attack. Moreover, this means that a hacker was able to find their way into your account and access sensitive information. Therefore, such an attack is a type of identity theft. Identity theft is the criminal act of stealing a person’s identity and subsequently posing as the victim, using their unique information.

Why ATOs happen

Since ATO attacks are so destructive to users, understanding the reasons behind and managing these attacks are critical. However, it’s very difficult to protect each user. For example, information leakage at the user end may also cause attacks even when the vulnerabilities of the system are well maintained. But as a security owner, you need to thoroughly understand ATO attacks to best prevent them.

ATOs are difficult to detect. Hackers may use compromised accounts to transfer money, make purchases, or manipulate data to use for other purposes. This is all done very easily with little financial cost to the attacker.

When these attacks occur, it impacts productivity and security for your business. Most concerning, it impacts one’s reputation.

Underlying factors

Some of the underlying factors that affect security and cause ATO attacks are as follows:

  • Mega data breaches expose a large number of credentials. Attackers can easily buy account information at cheap rates. Many people reuse their credentials, which puts your user accounts at risk.
  • Multifactor authentication (MFA) acceptance is low. Only 51% of organizations have embraced MFA, by which the user’s experience becomes a large concern, according to a statement by 451 Research. The low adoption rate of MFA results in a higher success rate of attackers conducting ATO attacks.
  • According to Google, 74% of users continue to use account passwords after compromisation. Because of this, attackers then have almost three of four chances to access an account with that password, which has already been compromised.
  • The easy bypass of CAPTCHA using certain software and tools is also a significant factor. These tools are cheap and claim an 80 to 90% success rate.

An attacker with compromised log-in credentials has numerous ways to take advantage of the user. One of them is known as the ransom attack, in which criminals get access to an individual’s or organization’s data and threaten to make it public or destroy it unless the user pays.

One of the main reasons behind these attacks is financial gain, but they are also used as jumping off points to attempt larger and more complex attacks. 

Now that we’ve seen what causes ATO attacks, let’s explore the impact of these attacks.

The impact of account takeover attacks

ATO attacks have a range of impacts for both individuals and organizations.

To individuals, these attacks cause loss of personal data, inability to use personal accounts, depleted gift cards, and unauthorized purchases.

To organizations, these attacks lead to high operational costs, greater security risks, a burden on IT, impact on revenue, risk of fines, fraudulent activities, and loss of customer trust. Most of the organizations that are being attacked by ATO are public sectors, academic institutions, and healthcare industries. Moreover, the ATO attacks include technology, gaming, retail, online travel, restaurants, and reward programs.

ATO attacks lead businesses to lose billions of dollars per year. According to Juniper Research, losses during 2020 are expected to reach $25.6 billion.

Any business with authenticated user accounts should make protecting against ATOs part of their security strategy. Besides committing fraud or stealing user data, attackers can leverage the wider attack surface that an authenticated user has within your application to perform additional attacks.

User account takeover methods

Hackers compromise user accounts by gaining access using credential stuffing and credential cracking attack methods.

Credential stuffing

Credential stuffing is the practice of using an attacked account’s credentials to gain access to multiple accounts on different sites, using automated logging in. Moreover, this exploit allows hackers access to not just the account that they attacked, but access to other accounts that make use of automated logging in, using the original attacked account’s credentials.

After obtaining credentials used for a number of sites, a hacker may sell off lists of these credentials. It’s common for these lists to be sold within underground networks or on the infamous dark web. Whether lists are sold or used by the hacker themselves, it’s likely the holder of the credentials will take full advantage. The attacker often compromises multiple accounts before the user is aware that their account has been attacked.

Credential stuffing is a serious threat to both consumers and businesses. Both risk losing lots of money, either directly or indirectly.

Credential cracking

The goal of a user account takeover attacker in credential cracking is to discover and utilize the victim’s legitimate log-in credentials. There are a few versions of credential cracking, which we’ll discuss below.

Dictionary method

The attacker uses a “dictionary list” of common words and phrases used by businesses and individuals. They use the list to test out all the possibilities that one of the items is the password.

Brute force

To conduct a brute force attack, an attacker may use a tool to attempt every combination of letters and numbers, expecting to eventually guess the password.

Once the hackers gain access, they can browse through financial, personal, or authentication information. Your personal information may include your name, address, birth date, emails, contact numbers, and even your credit card numbers, which can all be sold and used for illegal activities.

How to prevent user account takeover attacks

A security owner can implement many steps to protect their organization from ATO attacks.

Encouraging employees and customers to use multifactor authentication is a priority. Consequently, MFA may reduce user engagement, but it’s a significant step to reduce the impact of ATO attacks and their likelihood.

Analyzing your customer behavior can help to prevent these attacks. Do your customers access their accounts at a certain time? From specific countries or regions? What are their common actions after logging in? Most well-established companies have built-in models to analyze behavior. With the findings of the analysis, alerts can be set to flag any unusual behavior and sent to a fraud team to be investigated.

However, this analysis alone may not observe the ATO attacks because bots can simulate human behavior. But analysis can certainly help to reduce attacks and their impact. More advanced user monitoring can catch suspicious users based on malicious activity that they perform within your application. 

It’s critical to add bot detection capabilities to the security system. Manual protection from bot activities is impossible because these attacks happen quickly.

Requirements to defend against attacks

To detect and stop ATO attacks, an efficient solution should provide the following capabilities:

  • The solution should be software only, rather than purpose-built expensive appliances.
  • Deployable in the cloud and modern architectures
  • Automation in the discovery of application assets throughout the organization.
  • Deliver real-time ATO detection and user monitoring
  • Collaboration with existing security elements and tools to provide better attack details.
  • Minimize all types of risks including reputation, financial, and business disruption.

To learn more about ATO attacks and how to protect against them, check out the Preventing ATOs: How to Identify and Defend Against Account Takeover Attacks whitepaper. And if you’re looking for a solution to help against ATO attacks, check out Sqreen’s application security management platform today to learn how to defend yourself and start a free trial.


This post was written by Daniel de Oliveira. Daniel is a front-end designer, writer, and data analyst. He has experience working with Flutter, Ionic, and Django.

Icon made by Freepik from www.flaticon.com

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments