Account checkers have been around for a long time; however, they have been relatively rare as fraudsters focused on exploiting compromised credit cards. The number of credit card checkers, which similarly to account checkers test if a credit card is valid, outgrew the number of account checkers. The few account checkers that were available focused on very large online service providers.
There has been a shift in focus among fraudsters to account takeover over the last few years. Advanced security methods deployed by financial institutions have created huge barriers for committing fraud, driving less sophisticated criminals to other attack vectors. If in the past a fraudster committed e-commerce fraud by using a compromised credit card and the "guest checkout" option, today many use account takeover of existing customer accounts to reduce the risk of being flagged for fraud. In addition, the sheer volume of password breaches has created a huge market for credentials that can potentially be reused across multiple sites.
Even access to accounts that might not be seen as traditionally having value to a fraudster are now being used as infrastructure for further defrauding individuals and organizations. For example, compromised accounts for dating sites are used for romance scams, while compromised accounts of registrars and hosting companies are used to set up phishing websites.
Credential stuffing tools such as Sentry MBA and SNIPR, and associated fraud-as-a-service offerings, have spawned as a result. However, their use is restricted by the limited availability of pre-built configurations, mostly for large websites.
New Account Checker Gains Steam
To overcome these limitations, fraudsters had to innovate. RSA recently identified an online studio for developing account checkers capable of attacking nearly any website. In addition to facilitating the development of new checkers, the site also created a new source of income for fraudsters as the revenue generated from each checker is split between the site owner and the developer. This has introduced new opportunities for fraudsters to attack organizations not traditionally targeted by account takeover.
The studio provides a user interface for designing a new checker, enabling the user to define the different steps for checking an account. Each step consists of POST and GET page requests that are sent by the browser while communicating with the website. The user can also set up specific headers that are sent with each step in case the website the credentials are being checked against requires them for login. In addition, the studio allows its users to request custom checkers to be developed, and even grants them credits if their requests are fulfilled.
Once developed, the checker is ready to be used; it will return TRUE on a valid account and FALSE on an invalid account. The new studio even has an analytics dashboard which enables fraudsters to track the performance of their checkers. For example, they can see how many users were exposed to their checker, how many checks were actually performed, and how much money they've earned from those account checks. With over 500 checkers in its pool of websites to choose from currently, RSA expects this number will grow even more as the site gains more popularity.
Overcoming Account Takeover Fraud
It can be difficult to spot automated attacks because legacy tools are not designed or architected to look for them. Account checkers are based on scripts that follow a specific set of page requests, and they generate patterns that may be identified when analyzing activity logs. These patterns can help block subsequent login attempts conducted by the same checker. In addition, since many checkers use proxy servers, these patterns should not be based solely on IP addresses, but rather on specific headers or unique characteristics that may occur during the login process.
The adoption of technologies that leverage behavior analytics can ensure authenticated users and anonymous guests are interacting with applications in expected ways. Behavior analytics can identify unusual patterns of behavior across both web and mobile applications – for example, the way a user navigates a site or robotic activity such as thousands of login attempts within only a few minutes.
The old username/password combination is simply no longer sufficient as a form of consumer authentication. The use of multi-factor, adaptive authentication and transaction risk analysis to watch for signs of fraud based on device, user behavior and other indicators is another critical layer to prevent the onslaught of account takeover in the event of a successful login attempt.
# # #
Did you know: 60% of fraud transaction value originates from a new device but trusted account indicating account takeover continues to be a preferred and successful attack vector for cybercriminals? Get more global fraud facts in the latest RSA Quarterly Fraud Report, Q1 2019.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity