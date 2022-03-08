The battle for ecommerce customers is fierce, and once you’ve won them, the last thing you want is to hand them the worry – and the aftermath – of a compromised account. As online purchases continue to increase, more cybercriminals follow the money, stepping up their efforts to compromise and monetize customer accounts with stolen user credentials. According to market research firm AiteNovarica, “fraudsters are now poised to expand their efforts to target consumer and commercial customers directly through account takeovers.”

Understanding the account takeover kill chain helps ecommerce target protection efforts

The term “kill chain” is a military concept that outlines how to identify, prepare to attack, engage, and destroy a target. It was adapted to a cybersecurity setting by Lockheed Martin in 2011 and has since evolved with the industry. The Account Takeover (ATO) kill chain, specifically, describes the stages of an account takeover cyberattack from the attacker’s point-of-view, the goal of which is to take over and control a retail customer’s account.

Credential gathering is the first step in the Account Takeover kill chain. Attackers breach or skim sites, phish website users, or purchase combo-lists of stolen credentials on the Dark Web, which are mostly lists of usernames and passwords exposed during a data breach. Attackers aim to quickly validate stolen credentials before the security breach is made public—that is, before users reset passwords and before organizations take security measures to counteract exfiltrated data.

With combo-lists in hand, attackers will then move into the second stage of the ATO kill chain, weaponization. During this phase and the next (delivery), attackers rely heavily on automation via botnets to carry out the thousands of attempts (hence the term credential stuffing) it will take to validate those credentials. To do this, they load their acquired combo-list into a botnet. To make sure their target can’t easily identify the botnet activity, they use proxy networks or bot nodes to make sure their thousands of bots look like real users. Many illicit proxy services even advertise on Twitter, noting that they specialize in allowing access through proxies with residential IP addresses to avoid looking suspicious and triggering alerts.

Next comes the delivery phase of the kill chain, where a credential-stuffing attack is launched. Thousands (sometimes hundreds of thousands) of bots disguised as legitimate users attempt to validate as many of the username and password combos as possible.

The attack might be an onslaught, with logins from a few devices testing thousands of credentials per second. Or the attack can be “low and slow,” using more devices and fewer requests per second in hopes of avoiding detection. Many of the credentials will not work (some people DO change their passwords), but attackers only need a small percentage of their list to be validated for the attack to be ultimately financially successful. The process continues until the attacker has tested all the credentials in the combo-list.

Now, with valid credentials (gained through a credential stuffing attack or by purchasing already-validated credentials on the Dark Web), the attacker will be ready to move onto the final two phases of the ATO kill chain — exploitation and action — where humans (and sometimes highly sophisticated bots) take the validated combo-lists and start logging in to the targeted accounts, directly committing fraud. With open access to victims’ accounts, these criminals can pursue a variety of tactics, and it’s not just about finding a route back to the victim’s bank account. Once they take over an account, they can harvest loyalty points to purchase goods or e-gift cards. Thus, the retailer suffers a double whammy: not only damaging the actual hard earned loyalty of the customer but also losing even more due to chargebacks and when criminals return fraudulently purchased goods for cash. In fact, according to a recent report from the National Retail Federation (NRF), ~$23B worth of online purchases were returned by fraudsters last year.

In some cases, attackers get access to the account unnoticed, but sometimes they might be detected by suspicious activity that triggers alarm bells such as recent changes to shipping and/or email addresses. Or perhaps the fraud prevention team notices that multiple accounts across their organization suddenly all have the same shipping address, or that unusual purchases are being placed outside of the customer’s normal shopping patterns. But even with alarms going off, oftentimes it’s too late, as the criminal has already committed fraud damaging both customer trust and the online retailer’s bottom line.

That’s why stopping bad actors during the final stages of attempted fraud is critical to thwarting a successful ATO attack. Just when your customers’ accounts are in danger of takeover, new asymmetric detection capabilities can stop would-be ATO attackers at the moment of login. Even if the attacker is using accurate usernames and passwords, this account protection technology looks for particular anomalies that distinguish authentic users based on their typical behavior profile and devices, as well as other advanced detections. Anomalies are detected in real time to determine whether to authenticate the user – all without alerting the attacker they have triggered a risk score resulting in secondary/step-up authentication challenges from the retailer. Additional actions could be a security question, a code sent to the mobile phone listed in the account profile, or other challenges.

Stopping cyberattacks as early as possible in the ATO kill chain

At the end of the day, stopping cyber criminals earlier in the ATO kill chain is the best way to protect customer accounts, minimize damage to brand loyalty as well as reduce the burden on incident response and fraud investigation teams. The challenge for ecommerce retailers is to find a way to protect customer accounts without introducing the kind of friction that causes people to abandon the digital sales journey.

As a retailer looking to provide a trusted, seamless digital experience to your customers, we can help. Learn more about protecting your customers and your brand from credential stuffing and ATO attacks with specialized solutions designed to tackle online fraud and abuse head on.