Steal it or buy it: A study of some 2020 trends in Account Takeover (ATO) scams that target e-Commerce and financial institutions
by Michał Barbaś, Intelligence Specialist and Anna Sternicka, Product Manager
We are constantly studying online fraud in all its forms and we have published on Darknet topics in the past. This article is the product of a deeper-than-usual dive specifically into the Account Takeover (ATO) space, especially the current trends in tools and marketplaces for acquiring and selling stolen credentials. We took our findings from the ATO fraudster communities and compared them with our findings from a survey of our eCommerce and finance sector clients’ own experience with ATO.
The TL;DR version of our research is that ATO tools have expanded, diversified, and have gone mobile; the Clearnet has emerged as a popular location for sales and re-sales of stolen credentials; the ATO problem faced by eCommerce and finance companies has only grown; and we have seen a connection between the ATO methods described and sold in fraudster marketplaces and what is actually used against businesses.
Internet accounts are one of the most common “tools” used to interact with various Internet services. We use accounts for shopping, managing our finances, playing games, sending emails, ordering food, watching movies, listening to music, learning new things and many more. Sometimes we don’t think much about this, but accounts are often essential for us. Still, most people don’t really care about account security, use the same password in many services, use weak passwords and so on. But even if people think about it more seriously, for example they use 2 factor authentication, password managers etc., almost none of them would think that their account could be placed for sale by one criminal and bought by another. There are many types of attacks that can be used to steal account credentials and users can’t counter all of them by themselves. There is always a chance that their accounts can be stolen in some way and placed in an underground stolen accounts market. In this article we try to explain what such places look like and what can be bought.
Account takeover fraud: methods and marketplaces
Accounts (Acc) are without question the most popular merchandise sold by cybercriminals. They can be obtained by account-crackers in many ways, but the most popular are the following: dictionary attacks, brute force, traffic interception, man in the middle, keylogger attacks, social engineering attacks (like phishing). Login and passwords combo for accounts can be also found in data breaches and used in credential stuffing attacks. See the Appendix for definitions of methods.
A (account) cracker who obtains huge amounts of accounts usually doesn’t use all of them by himself. Thus, he needs a way to monetise them. In most cases, the quickest way is to sell them in places where cybercriminals gather looking for such merchandise. There are several places like this:
- hacking and carding forums
- darknet markets (dnm)
- automatic vendor shops (avs) — shops with immediate delivery of account,
- Clearnet sales platforms, where crooks can easily create their own shop, and payments are acceptable with credit cards, paypal or cryptocurrency. Sometimes vendors try to behave like they are not doing anything illegal, but in other cases they straight admit accounts were cracked. Such platforms are very popular among crooks from several hacking forums;
- vendors’ own websites — some vendors have reputation good enough and they can run business without broker like dnm or avs;
- social media — the most popular is Telegram where account vendors conduct marketing activities and can be found by clients.
In the first 3 places (forums, dms, avs) there are cases focused on accounts and places where stolen acc is only one of many types of illicit merchandise. There are also darknet markets, where trade in some specific accounts type is forbidden. For example there are marketplaces where bank/finance accounts are banned (maybe because owners don’t want to be involved in money laundering and financial crimes?) and porn acc (hard to say why, but in fact when you write “account” on some dnm’s search you will find mostly porn acc and this is annoying).
Acc availability varies depending where we are looking. On one dnm, the most popular merchandise could be pornography websites accounts while on others, that account type might be marginal or banned. Accounts availability also change daily. On an account shop one day finance accounts might dominate but on the next day a shop owner can add 20 000 freshly cracked acc from an e-shop and thus shopping acc would be the most dominant.
When we look for random accounts on WHM, the first that we get are adult accounts. On many dnms it looks similar. It is irritating and isn’t helping in finding valuable accounts. Probably because of that some dnm banned selling porn accounts.
Because of the variety of places where accounts can be obtained and the large accounts supply, it is hard to count how many of them are in fact on the black market. Additionally, one vendor can sell it in many places, many offers are scams, or accounts data could be out of date. Thus when one tries to count them globally, there is big false-positive risk. Some dnms don’t even give precise information about available accounts in stock.
A short case study: accounts on two different dnms
We will look closely at accounts supply in two darknet markets. First of them is White House Market (WHM) — -one of the biggest English speaking dnm, we can call it a general dnm. That means there are many types of merchandise that are available like drugs, frauds related, hacking related. The second is Infinity Market (IM) — — a market specialised in accounts and other fraud related stuff like counterfeit documents or cookies from botnets.
At the end of July 2020, the most common types of accounts on WHM were:
- adult websites
- video streaming
- bank and finance
- VPN
- education
- music streaming
On Infinity Market, the most common types of accounts were:
- Travel and hotels
- E-commerce
- Banks and finance
- Mobile operators
- Restaurants and food delivery
- Cryptocurrency
Example of what we find when we look for random shopping accounts. On the left hand side (blank part) there are account brand names. Going into the right hand direction there are: bonuses given to accounts (like address, balance, phone number, credit card, paypal etc.), account sector, vendor name with his rank in stars, number of available accounts, number of views, when offer was added to market and available discount in %. On this screen we can find 4 stars vendor Olympos, who offer 4549 accounts from one brand and 857 accounts from another shop.
If we go into some shopping account offer we will see the brand name on the left hand side. In the included category usually there are bonuses like credit card etc. Here there is only information that accounts can be used online. Then we can see from which country the account came from. Additional information could vary, here we can see for what purposes the account is good for, when last order was done and on what amount. Then there is typical info: when a stolen account was uploaded, time for refund from vendor if something doesn’t work and price. On this market account accounts with payment methods often cost more than 10$.
Not all accounts are bought for further frauds. Some, like video or music streaming, are bought on the dark web only because they are cheaper. Here we can see accounts that normally cost 6$ per month. Here it can be bought for 5$ for lifetime, usually that means till the real account owner changes the password or stops paying for the service (but here the vendor claims that he will give another account if old stopped working). This is also an example of a verified Vendor. He has 96,2% positive opinions and a good history in old, now defunct dnms like Dream and Empire.
Stolen e-commerce accounts are very common merchandise on IM. At the end of July there were 255 offers of account sales with 17 306 accounts in stock from 116 e-commerce brands. But certainly Infinity Market is not the place with the biggest number of stolen e-commerce accounts. For example on Atshop, a very popular clearnet sale platform among crackers, there were 110 040 accounts in stock from 37 brands.
The supply of Accounts in various places differ. Different accounts brands are sold, there could be various account vendors, for example on Infinity Market and Atshop there are no common suppliers. On Atshop generally vendors have many more accounts to sell. On IM there is bigger diversity and a bigger number of shopping brands, sometimes vendors have only several or only 1 account from a given brand to sell. On both IM and Athop very common are clothes and retail shop accounts. On IM furniture shops are popular, while on Athop accounts from cosmetics shops are common.
There are also a little different “bonuses” sold with accounts. In both IM and Atshop at least 50% of accounts are sold with linked payment methods. The most common one is a credit card linked to an account. Paypal is definitely more rare. Next difference between Atshop and IM are accounts with reward points appearance. It is more common on Atshop, about 28% of shopping accounts have that payment method linked.
There are discounts if somebody wants to buy many accounts at once. 100 accounts for 35$, 200 accounts for 50$. More discounts for resellers — fraudsters who want to sell these accounts in other places. 1000 accounts for 100$ or 5000 accounts for 250$. This particular vendor has only 653 of these accounts, so wholesaler discount won’t work in this case.
A little less common are accounts with gift cards. Here we can select gift cards based on how many dollars are on the account…Handy for fraudsters that want gift cards at certain amounts for laundering, ATO, etc.
Shopping accounts (but not only them) are usually sold with the personal data of the account owner. Names and emails are usually in account settings, sometimes there are also home addresses and phone numbers. On IM there could also occur another bonus personal data like: cookies, e-mail access, last order, balance, and date of birth. A characteristic for Atshop are “how-to” tutorials attached to sold accounts. Sometimes such information is given after purchase, but very often it is given for free as a product description.
More about e-commerce accounts
Account takeover is problematic for the e-commerce sector.
You may wonder why fraudsters buy existing accounts, instead of just creating new ones. The most obvious reason is to use accounts with a banking card attached to it, so you can spend someone else’s money. But it is not just that: using a validated account to shop provides a degree of protection for the fraudster, because the account “belongs” to a trustworthy user with a solid history. Fraudsters also like to use other people’s loyalty points or miles. There is also the option of changing the shipping address to deliver all of the goods to the fraudster’s address. Fraudsters’ imagination is limitless and every day they come up with new ideas on how to use existing accounts.
Here are other ATO methods (eCommerce):
- Purchasing gift card “leftovers”, usually to launder money.
- Taking advantage of promotion campaigns (for ex. first month for free offers)
- New account abuse (for ex. 10% discount for first order)
Financial institutions face similar but slightly different ATO methods:
- Stealing money from the account (obviously)
- Data harvesting: using a stolen account to take out a loan/buy something in installments
- Social engineering- forcing user to behave in a non-typical way
- High value transfers
The above causes not only financial losses, but also reduces clients’ trust in the brand.
Tutorials for stolen e-commerce accounts packages
What could be a big surprise to members of the anti-fraud community, there are more tutorials for use of mobile devices then desktops. In recent years, more and more fraudsters have turned to mobiles for their action. In account takeover, the occurrence is also recognizable. 43% of tutorials advise committing ATO with mobile apps. 31% instruct to work on browsers (usually not specified if mobile or desktop), 9% can work on both. In the remaining 17% there were no instructions for what type of devices should be used. In our survey, our clients informed us that 40% of their ATO attacks come from mobile devices, which corroborates what we observed in the fraudster markets.
28% of tutorials were for in-store fraud (when a fraudster has to physically go into a shop) and almost all of them were connected to accounts with reward points. 17% of the tutorials recommend using accounts to buy gift cards as it is one of the simplest ways to cash out money from an account with a linked payment method.
Common and interesting way of obfuscating account takeover is spamming. 48% of tutorials advise the scammer to spam the account owner’s email. Spam could be sent before and after ATO, but for the best result the fraudster can do both. Thanks to that, the account owner will see massive amounts of emails from forged shop emails or he will see nothing because of the email spam filter. And thus he also won’t see notifications about real change on account and new order etc. Some tutorials even provide recommendations for the best spamming tools. This is a great example of how various spheres of cybercrimes interact with each other.
Typical steps in tutorial while using account with credit card or paypal: The steps in most of the tutorials are pretty similar. When we are looking at tutorials attached to accounts with credit cards/PayPal, the steps for using stolen account can be summarized as:
The behaviour described in tutorials matches the pattern that our clients have observed in stolen accounts. The most common steps, after taking over account are the following:
- log in
- change email address
- spend some time to search for an item
- choose an item (usually shoes or bags worth around 1000 $)
- change shipping address
- change payment type
Also, what is interesting is that our clients observe trends in popular markets and items. So they see dozens of similar orders (the same shipping country, the same pair of shoes). After a few weeks fraudsters change their target, they find a new market and new item to buy. In 2020 the popular markets have been Italy, Australia and Hong Kong, where fraudsters have been buying Guidi shoes.
But merchants aren’t just standing idly by, waiting for fraudsters to raid their valuable customer accounts. There are a number of methods that can be employed to reduce the occurrence of ATO. Here are some ideas:
- Knowledge Based Questions
- CAPTCHA
- OTP SMS or Phone
- Email verification
- 3DS2
- Multi Factor Authentication
- Voice recognition
Unfortunately, each one of the methods adds a degree of friction to customer experience, which discourages purchases. That is why we recommend engaging a solution that is as close to frictionless as possible and works in the background to ensure security, preferably invisible to customers.
ATO has gone Mobile, it’s more popular than ever, and it’s even more user-friendly with tutorials
Our research has found that thanks to shops in the Darknet and increasingly the Clearnet as well, it is easier than ever to just pay a few dollars and become the new “owner” of a stolen account. ATO packages even come complete with helpful tutorials and mobile-friendly versions. It’s interesting that eCommerce companies and financial institutions’ experience with ATO is pretty close to what the ATO tutorials recommended. It certainly validates our approach to study fraudster methods and tools as an inspiration for building software solutions to address online fraud. Regardless of whether it was stolen or bought, by the end of the day it is the merchant who suffers from ATO and simple solutions (like rule-based or unsupervised ML) are not enough here. To prevent account takeovers we need contextual machine learning, focused on detecting fraudsters paths. Stay tuned in the coming months as we release enhancements to Nethone ATO Module.
Appendix
Dictionary attack: An attack that takes advantage of the fact people tend to use common words and short passwords. The hacker uses a list of common words, the dictionary, and tries them, often with numbers before and/or after the words, against accounts in a company for each username.
Brute force attack: Using a program to generate likely passwords or even random character sets. These attacks start with commonly used, weak passwords like Password123 and move on from there. The programs running these attacks usually try variations on upper and lowercase characters, as well.
Traffic interception: Criminals use software such as packet sniffers to monitor network traffic and capture passwords as they’re passed. Similar to eavesdropping or tapping a phone line, the software monitors and captures critical information. Obviously, if information such as passwords is unencrypted, the task is easier. But even encrypted information may be decryptable, depending on the strength of the encryption method used.
Man-in-the-middle: In this attack, the hacker’s program doesn’t just monitor information being passed but actively inserts itself in the middle of the interaction, usually by impersonating a website or app. This allows the program to capture the user’s credentials and other sensitive information, such as account numbers, social security numbers, etc. Man in the middle (MITM) attacks are often facilitated by social engineering attacks which lure the user to a fake site.
Keylogger attacks: A cyber criminal manages to install software that tracks the user’s keystrokes, enabling the criminal to gather not only the username and password for an account but exactly which website or app the user was logging into with the credentials. This type of attack generally relies on the user first falling prey to another attack that installs the malicious keylogger software on their machine.
Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.
