The rate of password theft continues to skyrocket, with millions more becoming victims every year. The illicit profits gained by this theft continue to bloat, offering increasingly glittering prospects to profiteering cybercriminals. While financial motives may lie at the heart of the industry, there’s growing research to show that the field is also partial to geopolitical stressors. Account takeover prevention remains the only cure for such an insipid, widespread issue.
Password Theft Counting the Tens of Millions
Research from Group-IB recently revealed the true extent – and increasingly political motivations – driving the password theft industry. Analyzing Russian-speaking cybercriminal groups, Group-IB counted a total of 50,350,000 stolen account passwords. Between January and July, over 896,000 individual infections helped strip the account details from tens of millions of unwitting victims.
The methods of password theft revolved largely around spyware such as Raccoon and Redline. The Raccoon info stealer was first seen in the wild during 2019; it’s now highly popular thanks to its low price, with malware renting prices starting at $75 per week. Raccoon’s breadth of services include the logging and exfiltration of login credentials, credit card info, browser info, and cryptocurrency wallets, throughout almost 60 supported applications. By sleuthing its way toward personal user information, it fills out text files of highly personal details for the attackers.
Redline, on the other hand, is a much more recent infostealer. Offering similar login exfiltration services as Raccoon, Redline also collects information surrounding the infected machine, including OS information, processes, system hardware, and system language. Similarly to Raccoon, Redline also streamlines the process of credential theft. Beginners no longer need advanced technical knowledge, as the exfiltration process is managed end-to-end. Thanks to the ease of this process, authentication theft has seen skyrocketing rates of automation.
Thanks to this automation, the only thing an illicit worker needs to do now is create a file with a stealer, then drive traffic to it. Group-IB’s report gives us a closer look at the cybercriminals conducting these attacks. Info-stealer deployment is largely fueled by low-level scammers who have previously worked as “victim callers” within phishing campaigns. As this sector has begun to see criminals competing for the same resources, account takeover attempts have become the new frontier for profiteering.
Stolen Passwords and the Rise of Large-Scale Automation
Thanks to the spiraling rates of login credential theft via tools such as Raccoon and Redline, there are over 15 billion login credentials available for sale on the dark web. Millions of accounts are already at direct risk of account takeover attacks: automated login attempts facilitate this rampant, mindless exploitation.
Being on the receiving end of automated account takeover attacks is incredibly resource-demanding. As security boulevard writes in a recent report, a large financial services provider had previously adopted an API-driven methodology in order to support mobile users, and to shorten the time to market of new products. Though the shift provided significant benefits to the business, there was a brand-new security challenge introduced surrounding the mobile login APIs. Attackers used next-gen tools such as OpenBullet, an attack management toolkit that facilitates the creation and automation of account takeover. Complete with its own GitHub repository and community userbase, OpenBullet allows a bad actor to create or import a predefined attack config, add the proxy infrastructure and user credentials, then launch and track the status of the attack. Driven by the wealth of stolen credentials, the peak of this high-volume attack saw 90% of all traffic – across 50 different mobile login endpoints – all taken up by automated credential-stuffing attempts. When the high-volume attack was finally identified, attackers remained one step ahead, shifting to a low and slow technique that saw them continue the attack throughout several weeks.
Defending Customers Against Account Takeover Attacks
The effects of account takeover cut deep into your user base. Starbucks has battled a consistent issue with its user-facing application. The app allows customers to buy drinks in-store or for collection, with card saving functionality allowing for swift and easy re-purchases. Attackers are specifically targeting an automatic billing feature – when the Starbucks reloadable card is reaching zero, it’s possible to implement an automatic payment process. This sees a charge of a predetermined amount be passed on to the on-file payment card. With legitimate usage, consumers can manually set how much this automatic reimbursement amount is via a confirmation email address. Attackers are abusing this automated payment process by first utilizing stolen credentials. When they’ve gained access, they first change the email address associated with the app. From there, they can simply increase the automated top-up amount, while simultaneously draining the account. Researchers saw significant upticks in these attacks during weekends and holidays – a snide move that delays the attack response, as customer support is less available.
A good fraud prevention system seeks to protect not just the brand image of a company, but also the customers that entrust us with their personal data. The first step in prevention is detection. Here, you want comprehensive visibility into the activity of each user on your app or site. This needs to encompass as much of the transaction process as possible. Once you’ve gained an understanding of how legitimate users interact with and purchase from a site, you can begin identifying and weeding out the bad actors.
Even better than preventing fraudulent transactions is to prevent the initial compromise of accounts in the first place. AI-based ATO detection allows for the automated discovery and alertion of repeated malicious login attempts. The use of modern AI is now necessary in spotting fourth-generation credential stuffing scripts. With both fraud prevention and account takeover defenses in place, your customers are granted a safer and more reliable online experience.