The evolution of identity-based fraud: Why ATO attacks are at the top of the list

Digital identity is the new currency, and adversaries are chasing wealth. Research shows that 61 percent of data breaches are the result of compromised credentials. This is a common fraudster tactic, whereby using legitimate credentials allows them to avoid detection as they gather intelligence and stolen data that will allow them to undertake further fraudulent transactions.

Fundamental to the defense of systems is access control, but it has its limits. Attackers are continuously trying to circumnavigate these systems to access accounts, with login and payment flows frequently targeted. This is why many organizations have invested in anti-fraud technologies to detect and mitigate against such attacks.

However, fraudsters' tactics can work equally as well when they target identity systems, such as provisioning, device, enrollment and password reset systems. Establishing the basis for access control, these systems are quickly becoming a fraudster favorite.

Fraudster tools and tactics are rapidly evolving

Previously, fraudsters would take advantage of user credentials available on the dark web, compromised in data leaks or breaches, without any guarantees that the accounts held any value. Bad actors also lacked crucial intelligence that enabled them to observe the behavior of legitimate account holders, as to avoid detection upon illegally accessing these accounts.

However, we’re now witnessing ransomware groups such as LockBit, Avaddon, DarkSide, Conti, and BlackByte utilizing initial access brokers (IABs) to purchase access to data from vulnerable organizations on dark web forums. IABs have recently grown in popularity, as sourcing identities becomes easy and affordable. This demonstrates how business savvy dark web fraudsters are becoming.

Identity-related attacks are on the rise

Recent attacks and extortion attempts, such as those targeting Okta and Microsoft, illustrate how damaging account takeover (ATO) attacks can be. ATO is now the top choice for many fraudsters, with recent research revealing that attacks soared by 148 percent from 2020 to 2021.

The Lapsus$ ransomware group conducted all of its ATO activity using stolen credentials, with these groups continuing to purchase compromised data, preferably with source code access.

While all online accounts are vulnerable to ATO fraud, threat actors naturally go after 'crown jewel' targets, such as bank accounts and retail loyalty accounts, which have both monetary value and stored payment information. To do this, fraudsters typically use automated tools such as botnets to enact continuous attacks, such as credential stuffing and brute-force attacks, against high value targets, as shown by Lapsus$.

Other fraudster tactics include phishing, call center scams, man-in-the-middle (MITM) attacks, and an approach known as 'click farms', whereby fellow threat actors are employed to manually enter login credentials, enabling attacks to go undetected by tools tracking automated logins. These methods enable fraudsters to operate at scale, vastly increasing their chances of obtaining compromised personally identifiable information (PII) that can be used to illegally access user accounts.

Access control layers are no longer enough
Historically, access control implements authentication and authorization services to verify identity. Authentication identifies users, with authorization determining what they should be allowed to do.

Whilst these were previously considered to be a good first line of defense against identity-based fraud, they can now be easily bypassed. Fraudsters are continuously looking to infiltrate organizations’ systems at the intersection of security and usability. However, this doesn’t mean that defense tools should reciprocate; looking solely at making systems extremely secure, or very easy to use, will compromise the other attribute.

Identity-based defense systems are now required

Organizations therefore require a second security layer. A robust, automated detection and mitigation solution should be deployed to block increasingly sophisticated and dynamic attack methods.

One option is to look at identity-based tools that can collect billions of consumer personas and behavior patterns. This enables security teams to identify unusual user account behavior in real-time, including automated bot activity. Adopting tools that employ machine-learning algorithms that can 'learn' user behavior, will enable organizations to recognize fraudster tactics across the entire identity life cycle, including provisioning and account maintenance, will help to protect data before its compromised and sold to the highest bidder.

Ultimately, to succeed against dynamic cybercriminals, organizations must think like their primary adversaries, and adopt systems that can prevent their customers’ identities from falling into the wrong hands.

Image Credit: Minerva Studio / Shutterstock

Gunnar Peterson is CISO at Forter.