Page Nav




Breaking News


Account Takeover Hacking And What You Can Do About It

Hacker - Cybercriminal / Account takeover (ATO) is a type of identity theft, and increasingly  on the rise  costing indivi...

Hacker - Cybercriminal /
Account takeover (ATO) is a type of identity theft, and increasingly on the rise costing individuals, businesses, and organizations significant financial losses and reputational damage that are often difficult to recover quickly. Cybercriminals use stolen credentials such as usernames and passwords obtained by malware and social engineering to gain sensitive information, and they’re using that same data also to access websites and banking accounts to transfer money, execute fraudulent transactions and bring down the reputations of companies. 

These attacks occur, in several ways, exploiting personal information online which is not always secured. And because of this, fraud-as-a-service has emerged. Cybercriminals use it to target retailers, gaming organizations, financial services, and any consumer-driven enterprise. The IRS has released a statement warning users about ATO tactics and continues to remind the general public about the problem.

Gaining Access to Private Data

ATO attacks target people in several ways such as hacking, phishing, vishing, check fraud, credit card fraud, and mortgage refinancing fraud. Once a hacker executes a successful account takeover, he or she is in a position to use sensitive information in a variety of ways.  For the most, they “own” the account until the user/vendor shuts them down. To execute an account takeover, hackers steal usernames and passwords, along with email addresses. They accomplish this through password dumps, phishing, or malware.

Common ATO Targets

Most ATO attacks are financially motivated and target these areas:


Services that store a user’s banking information are targets. An attacker with a compromised account can transfer money from bank accounts, purchase online goods using credit card or debit card information.

Online Currency Fraud

Any online service that’s has assets that are worth real currency is a potential target. Attacks include stealing video game credits, reward programs points, discounts, and other online goodies. Examples of targets include Groupon, TeamViewer, and U.K.’s National Lottery.

Cyber intrusions and system attacks are on the increase / EC-Council


Spam can be used on any service that allows content, direct emails, and forums to disrupt service. The activity results in monetary loss due to a lack of brand reputation and trust.


Criminals assume a compromised user’s account to launch a phishing attack directed at the user’s family, friends, or social media followers. The objective is to steal more credentials, financial information, or access to sensitive information.

How ATOs Are Conducted on a Large Scale

ATO-based attacks use extremely large bot collectives to crack passwords that directly protect accounts on websites. These web botnets are programmed to use a variety of attack modes to see which works best. Their mission is to confuse security solutions and make it hard to distinguish the good from the bad users that are accessing websites.

Even physical biometrics (fingerprints, retinal scans) can’t guarantee safety from a sophisticated piece of malware. Avanti Markets, for example, found this out recently. The company, which provides “micro-market” kiosks to over 1.6 million customers, was hit by malware that specifically targeted fingerprint verification functionality. By using its snack vending machines, Avanti customers may have inadvertently provided sensitive personal information to perpetrators.

What Makes It Easy for ATOs?

Account takeovers take time to set up and perpetrators look for vulnerabilities by examining websites and social media outlets they can exploit. Here’s a list of things that help facilitate ATO:

  • Accounts with valid email addresses
  • Weak passwords or the same passwords which were used on multiple sites
  • Using the dark web to verify if a current credit card is already compromised or stolen (for example, checking a public blacklist)
  • Lack of a web application firewall (WAF) which can determine good users from bad as well as classify suspected users and monitor them

How a WAF Mitigates this Risk

WAF detects and mitigates unauthorized access by leveraging credential or device threat intelligence. Some key features of a strong WAF solution include the ability to:

  • Identify and block malicious requests
  • Determine and classify clients as human or bots
  • Identify maliciously injected credentials into login portals to block credential stuffing
  • Block brute force attacks by monitoring session-level requests where large sets of credentials are automatically inserted into login pages
  • Enable login protection such as Google authentication, MFA, 2FA, or by specifying login URLs and authentication with SMS and email
  • Monitor customers for leaked credentials online
  • Profile credential stuffing tools and watch for evolving capabilities

ATO attacks target real people and is populated with real user information. It can be prevented by organizations that process user data when they use a solution with threat intelligence and advanced mitigation capabilities.