Account Takeover is an increasingly common form of fraudulent activity online in which the assailer steals personal information from a user’s account, such as credit card details and billing addresses.

This type of fraud is most usually performed on eCommerce accounts, and can endanger both the individual who’s targeted by it, as well as the eCommerce company itself, and is capable of generating giant debts for people and businesses alike.

And the worst part is how difficult it is to notice that an ATO is happening. Invaders will usually stay clear of unusual account activity that would alert the user that its security has been compromised, and will often change settings, especially notification and alert ones, to remain hidden until the damage has been done.

Account Takeover Methods

Beware of keyloggers: This is how hackers crack your account

To better understand how to detect such an activity, it is important to first understand the 3 main methods that are used in an ATO. They are:

  • Phishing: this method consists of tricking users into willingly giving their personal information through the usage of fake pages, emails, and messages.
  • Malign Bots: one of the more brute-force methods of ATO, where the cybercriminal sends a high quantity of bot attacks within a short period of time to breach the website’s security and collect private information.
  • Credential Stuffing: the criminal searches through databases of leaked or compromised user information and tries to use that data on multiple websites to try and find a website where the leaked information matches.

Now that we know what an ATO is, and how it is executed, let’s take a look at the different ways to detect an attack happening on your personal account or business.

How To Detect & Prevent An Account Takeover

1. Unusual Mass Changes Of Account Details

Unusual Mass Changes of Account Details

When attacking an account through the credential stuffing method, an invader will often change one or two small information fields in the user’s account. The reason they do this is simple: if leaked information worked for the invader, it means that other criminals who try the credential stuffing method will also be able to infiltrate the same account.

By changing a little bit about the user’s account, they can completely prevent other invaders from taking the account back, and in some cases, make it harder for the user to regain control of it.

As such, if multiple users account collectively change certain pieces of information in their accounts in the same way, such as dozens of accounts all changing to the same phone number, it might mean that an ATO attack has been performed on those accounts.

Sometimes, multiple accounts changing their account details can also be triggered when a security measure, such as a security alert, is sent to one of the victims of the attack. When that happens, the perpetrator might try a countermeasure and change the information on multiple accounts under its control.

2. Irregular IP Access

An important step in account takeover detection is tracking irregular spikes of login attempts from an unusual IP or country, which indicates that the criminal is attempting to log into single or multiple accounts, but the attacker likely doesn’t have perfect info on the user’s country IP.

It could also mean that multiple hackers are trying to breach into the account(s), each using different IPs.

3. Device Spoofing

Spoofing happens when a cybercriminal tries to disguise their connection as an unknown device. This is done to make it difficult to know whether multiple accesses are being made by a single individual (hacker) or if they’re legitimate users.

And those disguised devices will come across as “unknown”, which means that if you have an unusually high number of unknown devices, you might be under an account takeover attack.

4. Many Accounts Connected To A Single Device

office products

Cybercriminals do not always hide their devices, however. And when they don’t, having a bunch of different accounts, all linked to the same device, can indicate that an ATO is happening.

5. Use Security Alerts

With the usage of security alerts, you can more easily help users defend themselves. By quickly alerting them of any unusual activity on their account, a user can quickly take action and change their account information and block their credit card or account.

6. Look Out For Fake Websites

By using services such as Google Alerts, you can quickly find out how your personal name or company name is being used online. This can be a great way to prevent phishing scams by finding dummy or fake sites trying to mimic yours and taking the appropriate countermeasures.

You May Also Like