How Are Consumer Accounts Compromised By Fraudsters?

Password Spraying, Credential Stuffing, and Social Engineering are just some of the techniques bad actors use to hijack good customer accounts.

Published in

DataVisor

4 min readOct 9, 2019

There are seemingly an almost unlimited number of ways a fraudster can compromise an online account, but certain techniques are particularly prevalent. They run the gamut from phishing and brute force attacks to banking trojans and mobile phone hijacking.

Password Spraying

These attacks are a type of “brute force” attack, meaning they require no particular degree of sophistication, and are essentially accomplished through trial-and-error at a large scale. In this type of brute force attack, fraudsters — usually relying on scripted bots — spray relentless pairs of common usernames and passwords in hopes of landing on the right combination to enter an account. Users with weak passwords and generic usernames are particularly vulnerable. Once a fraudster gets access to an account, they will use it as long as they can to commit fraudulent acts and to drain the compromised account of all value.

Credential Stuffing

Credential stuffing attacks are becoming increasingly common. In a credential stuffing attack, fraudsters leverage massive troves of leaked legitimate user credential data to begin firing pairs of names and passwords at other sites in hopes of getting a “hit” — an instance in which a particular combination works. Users that reuse passwords across sites are particularly vulnerable to these types of attacks.

According to a recent State of the Internet Report from Akamai, there were nearly 30 billion credential stuffing attacks in 2018, with hundreds of millions of attempts taking place every day.

Credential stuffing attacks often rely on readily available tools to automate the process. SNIPR, for example, is a popular entry-level tool that includes predefined configurations for popular websites, as well as proxy support and community forums.

Social Engineering

As prevention techniques adapt to ongoing fraud, it follows that new attack types will emerge while others become obsolete. Certain things, however, never seem to change. Phishing, for example, remains as omnipresent as ever. According to the latest Verizon Data Breach Investigation Report (DBIR), 32% of data breaches involved phishing as part of the attack tactic. As noted previously, mobile is particularly vulnerable to fraud, and this holds especially true with regards to phishing attacks. As reported by DarkReading, small screens and limited security measures are likely causes of heavy phishing activity on mobile channels, and nearly 60% of all mobile fraud attacks are mobile phishing.

Malicious Software

Keyloggers, trojan viruses, spyware, and various other types of malicious software are used by fraudsters to intercept or harvest sensitive information. Banking trojans are particularly dangerous, as they’re used to steal financial credentials and drain bank accounts. Many banking trojans work by overlaying a “fake” login page on top of a legitimate bank website. When a bank customer logs in, believing the page to be authentic, the credentials are intercepted and stolen. This user information is sent back to the fraudster behind the trojan, who then uses the credentials in criminal attacks. All of this takes place without a user realizing what’s transpired — by the time the evidence is obvious, the crimes have already been committed, and the money already stolen. Banking trojans spread primarily through spam or phishing emails. A recent study from ProofPoint showed that banking trojans are found in 56% of all malicious emails, with the Emotet malware making up 76% of all banking trojans.

Phone Hijacking

The widespread adoption of SMS messages for second-factor authentication has not stopped fraudsters from taking over accounts.

In a SIM swapping attack (also called SIM hijacking or SIM Swap Fraud), a fraudster asks a mobile carrier to switch a phone number to another SIM card under their control by impersonating the actual account owner. This type of account takeover gives the fraudster access to all online accounts tied to the phone number as well as incoming SMS messages, allowing them to easily bypass second-factor verification measures often used to protect sensitive accounts.

Other methods exist for intercepting text messages, including posing as rogue public wi-fi hotspots or fake cell towers. A more elaborate scheme exploits vulnerabilities in the SS7 routing protocol, which is used by mobile networks to route calls and texts. A vulnerability in the protocol allows anyone with access to a gateway on the SS7 network to intercept calls and texts or to track specific devices, even from a remote location.

Preventing Downstream Damage from ATO

Preventing damaging associated with account takeover requires a shift in strategy from reactivity to proactivity. This means focusing fraud strategies on an earlier point along the timeline of a fraud attack. Instead of addressing fraud at the transaction level, businesses should be stopping attacks at the account level, before any downstream damage can occur.

While many industries are negatively impacted by account takeover, the financial services sector is uniquely vulnerable, given the comparatively high profit potential for fraudsters who succeed in gaining access to accounts. DataVisor Co-Founder and CEO Yinglian Xie wrote about account level detections recently in an Executive Insight for the PYMNTS Digital Fraud Tracker:

“With the power of AI and unsupervised machine learning fraud solutions, financial institutions can transform their fraud strategies from reactive to proactive. By taking a holistic approach to data analysis and deploying advanced unsupervised ML algorithms that deliver high accuracy without relying on historical labels or lengthy training cycles, organizations can expose malicious actions and accounts at the transaction level before damage occurs.”

It’s important to understand that, while account takeover itself is a concern, it’s what happens next that’s more troubling. Fraudsters don’t take over accounts for the pleasure of having them — they take them over to drain them of value, and use them in future attacks. This is why it’s critical we block their actions at the earliest possible opportunity.

Many of these findings first appeared in DataVisor’s Q2 2019 Fraud Index Report.