Preventing ATO with Zero Trust at the Network Edge
ATO Attack Timeline Phase 1 - Sleeper Cells
The first phase of a sophisticated account takeover (ATO) attempt is the creation of accounts that appear to be totally legitimate user accounts. These fake accounts are usually created by bots, but can also be created by humans if the attack target has 2FA or other strong authentication method.
To avoid detection, the account creation is spread out over weeks or days, depending on the volume of the site and the number of fake accounts required. These accounts are like sleeper cells - they avoid fraud detection, and simply lying low, under the radar, and do nothing until activated. If these accounts are human created, they are very difficult, if not impossible to track.
There are some warning signs for the account creation. Depending on the site, you may spot a spike in registrations. The fake emails often contain numbers as its easier to automate a sequence. Also these dormant accounts typically have no activity whatsoever. Otherwise, it's very hard to spot. The accounts will then just site there, doing nothing until Phase 2.
VerifiedVisitors specifically monitors login paths very carefully. If the account creation is using bots, this activity can be picked-up and stopped right at the network edge. This forces the potential attacker to create accounts manually - certainly possible, but a tedious process. It's likely that an easier target will be chosen, rather than continuing manually.
ATO Attack Timeline Phase 2 - Warming Up
Phase 2 is the warm up phase, when the sleeper accounts are now warmed up. Automated login with the real credentials ensures a valid login and ensures that each account can be accessed programatically. Warming up helps test the defences from attack. Once automated the accounts are going to login in the same restricted time window. As they are mingling with legitimate accounts and doing no further action this usually goes under the radar for detection
This is when detection of these accounts if they are manually created is possible. VerifiedVisitors will pick up the automated access for these accounts. So far no damage has been done. All looks normal. It looks like no accounts or transactions have been threatened and no users have reported a breach. VerifiedVisitors would bock these accounts and the attack would fail. If you don't have a robust defence in place, the bots will proceed to the actual activation phase. Why is programmatic access to some random accounts important? What's really going on?
ATO Attack Timeline Phase 3 - Attack Disguise
Phase 3 is when the fake accounts are activated. There are two main reasons for activation. The first is to disguise the real attacks that occurs at the same time. The fake accounts act as a diversion. For example in a brute force attack, you can see obvious signs of a very high failure rate for logins. Blend with your legitimate users and its much harder to detect. Blending logins with brute force decreases the login failure rate, but will still show higher login failures, which may be detectable. The same sleeper cells will login exactly at the same time the attack happens. The attacker may have used a phishing attack with a list of actual login credentials, and they will use the fake accounts to disguise this attack. The phishing attack may have been detected for some users. Blending this attack makes it much harder to stop.
ATO Attack Timeline Phase 4 - Full on Attack
Sleeper Cells can now be activated for a full on attack on demand. Why? Great examples are ticket bots, which are then programmed to purchase items with a high resell value, sneaker bots, and live sports betting bots which rely on the gap between the live event and the TV coverage which is typically a few second later, to place a bet.
Once the accounts are created, warmed up, and are hiding in the thousands of legitimate accounts, these bots are very hard to stop. After all, they have also transacted and paid in full for the services.
Maintaining Zero Tolerance at the edge of network for prevents the bots from launching these attacks in the first place.
Photo by No Revisions on Unsplash