Castle Unveils Four Account Takeover Tactics Cyberattackers are Using to Successfully Exploit Users

San Francisco, CA – December 12, 2019 – Castle, the user-centric account security company, today announced the availability of Evolution of Attacks on Online Users eBook. The eBook provides research that illustrates four new tactics cyberattackers are using to successfully take over accounts and exploit users. Castle is continuously researching attacks to improve threat modeling for attack detection and prevention.

Stolen credentials have been linked to some of the largest and most costly data breaches to date, including Equifax and Yahoo, which affected almost half of the US Population. Despite the success of these attacks, attackers continue to search for ways to improve success by tricking security tools to avoid detection.

Traditional success rates of account takeover attacks have been approximately .1%, but over the past year, Castle has discovered new trends in attack patterns with success rates as high as 20-30% in finding valid credentials. The company’s research team was analyzing malicious login attempts of 100 million+ worldwide user accounts when it discovered this massive increase for some of its customers. Through its investigations and data analysis, the company identified four new trends in account takeover. Following are the tactics we found attackers are using to improve their success rates as they target user accounts.

Appear Larger – Use More Users, More IPs: The eBook details a real-life example where an attacker used 60,000 IPs in 210 countries to complete 700,000 login attempts in over 10 hours. Although the site saw upticks in failed logins over the course of the attack, three failed login attempts per hour, per IP didn’t raise much suspicion in isolation. Ultimately, the attacker got more than 700 validated credentials, which they could use to perpetrate an attack. Appear Local – Use Local IPs: As attackers attempt to emulate as many users as possible to blend in, they also want users to appear to be coming from countries and locations that won’t raise any suspicion. The eBook illustrates an attack where the attacker used 1000 IPs, from multiple data centers across the U.S. to complete 650K login attempts over a 10-hour period without increasing any suspicion. Appear Better - Use Fake Accounts to Improve Reputation: Attackers understand the importance of trust – if an attackers can gain trust, they have a better chance of success. In order to establish trust, attackers are registering fake, ‘canary,’ accounts to try to build up the reputation of the IPs they plan to use in their attack. The eBook provides an example of where an attacker used 6000 fake accounts to perform 30K each logins during the course of an attack, meaning that each account was logging in every three seconds to keep their reputation. Appear Legitimate - Use Registration and Password Resets: To reduce the amount of attempts attackers need to validate their credentials, they are exploiting UX features on sites that are meant to make it easier for users, including password resets and registration forms. By using password resets and registration forms, attackers can quickly identify legitimate email addresses which greatly reduces the number that they need to keep and try when validating credentials. “As attackers become more sophisticated, it’s our responsibility to conduct the research needed to stay ahead of them,” said Johan Brissmyr, co-founder and CEO of Castle. “Detecting new attack trends early on is critical in maintaining both security and user experience which could impact a company’s bottom line. Fortunately we discovered these attacks early and kept our customers and their user’s accounts protected.”

The “Evolution of Attacks on Online Users” eBook also provides tips for companies to improve defenses including implementing IP rules and blacklisting as well as a list of helpful resources and tools. For more information, please see the full eBook here.

About Castle

Castle helps businesses keep their customers’ online accounts safe from human-powered account takeovers, automated credential stuffing, risky user transactions and other attacks impersonating users. Castle’s user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows for end-to-end account recovery. Unlike traditional solutions, Castle gives users the ability to actively participate in their own account security to keep safe. Castle has also removed complexity for security teams with an easy-to-use, fully automated and developer-friendly solution that enables strong security and keeps user satisfaction at the forefront. Castle is headquartered in San Francisco, CA with offices in Malmo, Sweden and Krakow, Poland.

Try for free

Get started in minutes

You can test and deploy a fully automated, user-centric approach to account security for free.

Create Free Account