The Evolution of Identity-Based Fraud: Why ATO Attacks are at the Top of the List

Written by Gunnar Peterson, CISO at Forter

Digital identity is the new currency, and adversaries are chasing wealth. Research shows that 61% of data breaches are the result of compromised credentials. This is a common fraudster tactic, whereby using legitimate credentials allows them to avoid detection as they gather intelligence and stolen data that will allow them to undertake further fraudulent transactions.

Fundamental to the defence of systems is access control, but it has its limits. Attackers are continuously trying to circumnavigate these systems to access accounts, with login and payment flows frequently targeted. This is why many organisations have invested in anti-fraud technologies to detect and mitigate against such attacks.

However, fraudsters’ tactics can work equally as well when they target identity systems, such as provisioning, device, enrolment and password reset systems. Establishing the basis for access control, these systems are quickly becoming a fraudster favourite.

Fraudster tools and tactics are rapidly evolving

Previously, fraudsters would take advantage of user credentials available on the dark web, compromised in data leaks or breaches, without any guarantees that the accounts held any value. Bad actors also lacked crucial intelligence that enabled them to observe the behaviour of legitimate account holders, as to avoid detection upon illegally accessing these accounts.

However, we’re now witnessing ransomware groups such as LockBit, Avaddon, DarkSide, Conti, and BlackByte utilising initial access brokers (IABs) to purchase access to data from vulnerable organisations on dark web forums. IABs have recently grown in popularity, as sourcing identities becomes easy and affordable. This demonstrates how business savvy dark web fraudsters are becoming.


Identity-related attacks are on the rise

Recent attacks and extortion attempts, such as those targeting Okta and Microsoft, illustrate how damaging account takeover (ATO) attacks can be. ATO is now the top choice for many fraudsters, with recent research revealing that attacks soared by 148% from 2020 to 2021.

The Lapsus$ ransomware group conducted all of its ATO activity using stolen credentials, with these groups continuing to purchase compromised data, preferably with source code access.

While all online accounts are vulnerable to ATO fraud, threat actors naturally go after ‘crown jewel’ targets, such as bank accounts and retail loyalty accounts, which have both monetary value and stored payment information. To do this, fraudsters typically use automated tools such as botnets to enact continuous attacks, such as credential stuffing and brute-force attacks, against high value targets, as shown by Lapsus$.

Other fraudster tactics include phishing, call centre scams, man-in-the-middle (MITM) attacks, and an approach known as ‘click farms’, whereby fellow threat actors are employed to manually enter login credentials, enabling attacks to go undetected by tools tracking automated logins. These methods enable fraudsters to operate at scale, vastly increasing their chances of obtaining compromised personally identifiable information (PII) that can be used to illegally access user accounts.


Access control layers are no longer enough

Historically, access control implements authentication and authorisation services to verify identity. Authentication identifies users, with authorisation determining what they should be allowed to do.

Whilst these were previously considered to be a good first line of defence against identity-based fraud, they can now be easily bypassed. Fraudsters are continuously looking to infiltrate organisations’ systems at the intersection of security and usability. However, this doesn’t mean that defence tools should reciprocate; looking solely at making systems extremely secure, or very easy to use, will compromise the other attribute.

Identity-based defence systems are now required

Organisations therefore require a second security layer. A robust, automated detection and mitigation solution should be deployed to block increasingly sophisticated and dynamic attack methods.

One option is to look at identity-based tools that can collect billions of consumer personas and behaviour patterns. This enables security teams to identify unusual user account behaviour in real-time, including automated bot activity. Adopting tools that employ machine-learning algorithms that can ‘learn’ user behaviour, will enable organisations to recognise fraudster tactics across the entire identity life cycle, including provisioning and account maintenance, will help to protect data before its compromised and sold to the highest bidder.

Ultimately, to succeed against dynamic cybercriminals, organisations must think like their primary adversaries, and adopt systems that can prevent their customers’ identities from falling into the wrong hands.

About Editor 2434 Articles
Lisa Baker is the Editor of International Business News. As the Owner of Need to See IT Publishing, Lisa is an experienced business and technology journalist and publisher.