by peter


What you need to know

Attack: Account Takeover


Risk Rating: CRITICAL
Likelihood: 4/5
ImpactL 5.5

Common Causes

  • Password reuse
  • Failing to monitor third party breaches


Account takeover is considered one of the more harmful and nefarious ways to access a user’s account. The attacker typically poses as a genuine customer, user or employee, eventually gaining entry to the accounts of the individual they’re impersonating. Scarier yet, user credentials can be sourced from the deep web and matched against e-commerce sites with the help of bots and other automated tools for quick and easy entry.

FitBit even fell victim to this type of attack in 2015. Hackers employed a two-pronged approach, exposing log-in details to customers’ FitBit accounts, changing the email they registered with, and then calling up customer support with a complaint about the device so that they could get a replacement under their warranty.

What you need to know

Rather than stealing the card or credentials outright, the account takeover attack is far more surreptitious, allowing the attacker to get as much use out of the stolen card as possible before being flagged for suspicious activity. Banks, major marketplaces and financial services like PayPal are common targets, and any website that requires a login is susceptible to this type of attack.

The best defense against account takeovers is education and security monitoring. If you can educate your user base on not reusing credentials in multiple places it will massively help.

How the attack happens

Some of the most common methods include proxy-based “checker” one-click apps, brute force botnet attacks, phishing and malware. Account takeover attacks are also associated with Credential Stuffing attacks and Brute Force attacks against accounts. Other methods include dumpster diving to find personal information in discarded mail, and outright buying lists of “Fullz,” a slang term for full packages of identifying information sold on the black market. Once the profile of the victim is purchased or built, an identity thief can use the information to defeat a knowledge-based authentication system.

Where the attack comes from

An enormous volume of our transactions take place online. For cybercriminals, acquiring account credentials and personal information (like social security numbers, home addresses, phone numbers, credit card numbers and other financial information) is a lucrative business, whether they choose to sell the acquired information or use it for their own gain. As such, these kinds of attacks can originate anywhere in the world making account takeover attack very easy to accomplish.