Over the past several years, fraudsters have increasingly targeted merchants by using stolen login credentials to take over customer accounts. Account takeover has become all too common for e-commerce businesses, but, a new report says criminals have found a way to supercharge this already thorny problem: botnets.
Account takeover attacks grew by 31 percent from 2017 to 2018, according to antifraud technology provider Forter. Considering the number of stolen login credentials circulating and how easily they can be obtained, this is unsurprising. Just today, security researcher Troy Hunt unveiled one cache (called “Collection #I”) uploaded to cloud service MEGA containing nearly 773 million unique email addresses and more than 21 million unique passwords that have been aggregated from multiple breaches. Dumps like these are common and are the fuel enabling ATO to explode.
Only a select group of fraudsters, however, are engaging in this type of fraud. By aggregating and analyzing the data of its clients, Forter found that 80 percent of the ATO attacks on a typical website are launched by only 10 percent of the fraudsters attacking each site. Using bots, a relatively small number of bad actors are able to automate the process of trying stolen login credentials to gain access to accounts at scale.
“The level of sophistication ATO fraudsters are willing to reach in order to exploit the benefits of hacked accounts makes these fraudsters especially likely to consider scaling their operations,” the report’s authors wrote. “They can automate everything from logging in, to changing the shipping or email address in an account, to purchasing goods or exploiting a loyalty program. Some highly sophisticated models even build in repeat visits to the account before purchase, acclimatizing the system to their presence.”