Using Attacker Tools to Gain the Upper Hand on ATOs

Using Attacker Tools to Gain the Upper Hand on ATO

Account takeover (ATO), is a form of online identity theft where bad actors gain access to a person’s financial, eCommerce, or other accounts and use those accounts to execute fraudulent transactions. ATO continues to be in the forefront of retail CISO interests and concerns. Depending on the sophistication of the attack, ATO attacks can result in direct and indirect costs that can exceed many thousands of dollars in damage before they are detected.

Cybercrime and fraud activities associated with retail transactions continue to grow. In 2019 alone, over $4 million in total ATO losses were documented. According to the 2020 Lexis Nexis True Cost of Retail Fraud, every $1.00 in retail fraud carries an actual cost-burden of $3.34. The same report indicates that prevention efforts are only successful 52% of the time, an increase in 9% year-over-year. While a 9% improvement in prevention per year is generally a positive trend, statistics show that attacker’s success rate is 48% with an increase in success rate of 28% year-over-year.

Why do the bad actors leverage ATO attacks? Because they work! Where there are lucrative targets (like accounts associated with retail transactions), there will be opportunists. We are also seeing, as additional evidence of opportunism, the commercialization of the attack tools, the infrastructure, and the stolen user credentials necessary to execute an ATO. Bad actors can search the web and find advanced ATO tools that are already set up with pre-loaded takeover configurations targeting high-value sites. These tools allow bad actors to perform end-to-end management of the attack; importing or creating the attack configuration, modifying it as needed to evade detection, adding the proxy infrastructure to anonymize their identity, loading the stolen credentials, and ultimately executing the attack and tracking their success.

How can these bad actors execute an ATO attack without being traced and found? The use proxies. Proxies are tools that enable the anonymization of identity and location; making it very hard for authorities or security teams to trace the locations of incoming attacks. The proxy makes the IP address look like a legitimate user that would not be identified or blocked as a threat. Previously, these kinds of tools were only found in the nether regions of the dark web. Now, however, they’re readily available as web testing tools.

These tools, also known as Bulletproof Proxies, are made up of millions of high-quality residential IP addresses; enabling bad actors to anonymize their location and identity. Bad actors needing credentials can easily find vendors of such tools with a quick search for locations where they are advertised.

As the above demonstrates, the effort required to execute automated attacks has been dramatically reduced by the commercialization of tools; allowing more bad actors to launch more sophisticated account takeovers with higher frequency. It is easier for someone who isn’t an expert hacker to attack like one. Attackers with the motivation and research skills to find the tools can wreak havoc on generally competent cyber defenses.

Protecting yourself against these kinds of attacks is difficult, but by no means impossible. Think like an attacker and, in some cases, use their weapons against them. Cequence Security, a new RH-ISAC Associate Member, recently gave a joint presentation for RH-ISAC membership on doing just that. In an interactive session for the RH-ISAC’s Organized Retail Crime Working Group, RH-ISAC Members delved into how security teams can use the same resources as their attackers (tools, forums, software repos, etc.) to their preventative advantage. The discussion also included tips and techniques to help RH-ISAC members uncover the existence of an attack config and a demonstration on OpenBullet with pointers on how to use it to your mitigation advantage.

This session was recorded, so if you are a member of RH-ISAC and would like to access the session, contact [email protected]. Our Associate Member Cequence will also be speaking on this particular topic at the RH-ISAC Cyber Intelligence Summit.  Register today so you can learn more about how to protect your organization from this growing threat!

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.