Industry

Why More is Better for Attackers Perpetrating Account Takeover Attacks

Blog #4 in a 4 Blog Series on Attack Tactics that Increase Success Rates… And What You Can Do to Thwart Them

The common belief that ‘more is better’ has been found to be true for attackers trying to infiltrate your organization. The more they know about your users, the more successful they will be at targeting them to get into your site or service. That’s why attackers are spending the time, up front, to learn as much as they can about your users – when they can work with certainties they can improve the success rates of their attack takeover attacks from .1% to as much as 20% to 30%!

This is the final tactic in our four-part blog series on account takeover attack methods and mitigation capabilities.

Tactic #4: Appear Legitimate

Anything an attacker can do to work with certainties and minimize guesses dramatically improves their chance at success. They want to make sure the credentials they are using are legitimate, so they can login and do whatever they want without raising suspicion.

To see if the credentials they have are legitimate they will try to validate them. Typically validation comes in the form of credential stuffing or spraying, depending on the information an attacker is working with.

Difference between credential stuffing and spraying

Often, attackers will automate login requests against their list of credentials to identify which username/email and password combinations actually work. This is referred to as credential stuffing.

Sometimes attackers may need to fill in some data to generate a working credential. For example, if they only have a list of emails, they will start guessing passwords to try to identify a user/password combination that works. This is referred to as password spraying.

As you can imagine, stuffing and spraying consume a lot of resources and often end up raising alarms, so to reduce the amount of attempts attackers need to validate their credentials, attackers are turning to other measures. As a result, attackers are starting to exploit UX features on sites, such as password resets and registration forms, to try to get more information about a user’s credentials without raising any suspicion. These UX features are intended to make life easier for legitimate users, but they have the unintended consequence of making it easier for attackers to appear legitimate.  

Password Resets

Many sites reveal whether an email is in their database or not when a user requests a password reset. You may have seen the message, “Sorry, email not found” when trying to reset a password you’ve forgotten. Attackers are using this capability to their advantage, putting in an email and submitting a request to reset the password to see if that email exists. This greatly reduces the number of emails they need to keep in their list and try.

Registration Forms

Many sites reveal whether a user is already in their database when they register. You may have seen the message, “Sorry, there is already an account associated with this email” when you have tried to register for a site. Attackers are using these registration forms to see whether a user exists in the database of the site or service. This helps them quickly identify usernames that are irrelevant, so they can cull down the number of users they need to keep.

Real-World Example

Watch a quick 1-minute video that shows how an attacker using a site’s password reset functionality in waves to validate site users. Ultimately, the attacker identified 93,729 users, with 3,856,102 password reset attempts, which originated from 5,269 IPs, from 1,997 Internet Service Providers, in 120 countries. Because the attacker was able to reduce their working list of credentials from the site password reset functionality, their subsequent ATO attacks would have been exponentially more successful. Luckily, the customer had deployed Castle to protect them from any subsequent ATO attempts.

The Answer?

The key to protecting your site or service from attackers using your UX features against you is to:

Ensure you aren’t giving away too much information: For example, if your site or service offers a “Sorry, email not found” response to a password reset request, we recommend you change it to provide a nondescript message that offers attackers nothing. Something like, “If the email address exists in our database, you will be receiving an email to reset the password.”

Make sure users are really legitimate: Use completely automated public turing test to tell computers and humans apart (CAPTCHA) software to protect your registration forms and signup sheets. These challenge – response tests help cut down on some of the noise (and lazy attackers), but they are not foolproof, as many tools exists that are designed to break them.

Use solutions that can protect you from account takeover attacks: Look for solutions that:

  • Ensure you aren’t giving away too much information: For example, if your site or service offers a “Sorry, email not found” response to a password reset request, we recommend you change it to provide a nondescript message that offers attackers nothing. Something like, “If the email address exists in our database, you will be receiving an email to reset the password.”
  • Make sure users are really legitimate: Use completely automated public turing tests to tell computers and humans apart, such as (CAPTCHA) software, to protect your registration forms and signup sheets. These challenge – response tests help cut down on some of the noise (and lazy attackers), but they are not foolproof, as many tools are specifically designed to break them.
  • Use solutions that can protect you from account takeover attacks: Look for solutions that:
    • Detect anomalies and attacks in real time to stop the nuanced activity of illegitimate users
    • Understand user and device behavior throughout the attack cycle
    • Offer risk-based authentication to quickly uncover and remediate unauthorized access and events
    • Provide both pre- and post-login account protection to reduce the total attack impact

For more information about Castle's customer identity and access management capabilities or to start a free trial, please go to https://castle.io/.

In Case You Missed the Other Posts in This Evolution of Attack Series, Here They Are: