Assessing the Risk of Account Takeover Fraud
The Democratization of Crimeware and “Spray and Pray” Attacks
Eric Murphy, Vice President of Security Research at SpyCloud, was the guest on episode #90 of Task Force 7 Radio to talk with Host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, about the differences between identity theft and Account Takeover (ATO) fraud. He also told the audience the benefits of establishing a proactive approach that includes understanding the criminal community and methods used to target your business.
Rettas asked Murphy about how bad actors acquire login credentials, how organizations can overcome the ATO awareness challenge, whose responsibility addressing ATO fraud is, and methods to combat the growing risk. The pair closed out the conversation looking to the future and how CISO’s can prepare for more frequent and sophisticated attacks.
Defining the Intelligence Data Collection Challenge and Assessing Readiness
One element essential to the foundation of a solid cybersecurity operation is an intelligence-led strategy. One of the challenges that enterprise organizations face today is overcoming intelligence collection challenges at scale.
Intelligence agencies are people that are dealing in big data, specifically security data. Data collection is often done at the network layer – layers three and four – where an agency will go into a data center and install a very large, passive tap. It will then try to sort through all that signal to noise, kind of like the proverbial needle in the haystack. This type of data collection means dealing with petabytes to exabytes of data, which makes it very difficult then to store, analyze and act upon. “The amount of data when you're collecting at that specific layer is difficult to manage,” notes Murphy. This reactive approach to collecting data is done in small bursts due to the storage constraints. It tends to be expensive even when utilizing cloud services.
Weighing Proactive vs. Reactive Approaches to This Challenge
The nature of work for a CISO is often reactive, says Murphy. The standard operating procedure for many enterprise CISOs has been, “I get into an organization, establish a Security Operations Center filled with a bunch of analysts, look at that network traffic and a series of other things, and then look for ‘bad’ in context of what you can see.”
The challenge with this “new CISO launch approach” to the enterprise SOC is that it's very difficult to scale with the organization’s growth goals and the number of potential threats. Contrast this with the more proactive nature, continues Murphy. “Hire and build purpose-driven intelligence teams to: Understand the criminal communities and understand how criminals are targeting your business or your vertical.”
See Related: “Protecting Against Account Takeover Based Email Attacks”
The fundamental difference to these approaches, according to Murphy, is that, “one group is actively integrating with criminal communities and looking for bad in a proactive sense versus the reactive nature where you're stuck within your own perimeter waiting for bad to happen.”
The Difference Between Identity Theft and an Account Takeover
Most people have heard of identity theft, which is more often specific to your government-issued ID, such as a U.S. social security number or a driver's license number. And often, an actor is attempting to extract the data from you, whether that be dollars from your bank account or new lines of credit, etc.
Account takeover (ATO) is a much broader term focused on taking over your digital identities. If an actor breaches your favorite pizza chain affinity account, the end goal is to understand what they can do with that account, such as ordering pizza or harvesting your loyalty points.
Overcoming the ATO Awareness Challenge
Account takeover has been around for a long time, remarks Murphy. “In the last five years, the proliferation of it has exploded, and that is due to the frequency of breaches that occur.” Solutions providers like SpyCloud need to understand the data and the whole ecosystem around it. An increased number of actors utilizing crimeware to “spray and pray” login attacks across the internet has led to ATO having a bigger effect on people's everyday life.
We have all likely received these breach detection notifications, notes Rettas, that say, “Your information has been compromised.” The notifications are increasingly commonplace because more breaches are happening on a massive scale. But it can be hard for the average person to understand the impact of this letter. If this is the first time hearing from this company, how do consumers tell if this type of alert is real?
See Related: “Cyber Security Headlines Of 2019 Bring Lessons Learned”
Murphy says that with the regular mainstream media reports on breaches these days, the concept of notification services is starting to skyrocket. “Several companies offer breach notification services. The general rule of thumb is you should always assume compromise.” Managing the multitude of identities with a password manager does not remove the difficulty.
Verifying the authenticity of the notification company should be one of the first actions, suggests Murphy. A lot of these breach detection companies scrape parts of the Internet looking for very specific things, such as keywords, file names, and hashes without verifying the uniqueness of the data. Finding a new combo list doesn’t necessarily mean that the usernames and passwords were not recycled from a previous breach. Murphy’s recommendation: “Assume compromise … and ensure there was a verification process.”
Combating the Rise in Enterprise ATO
What’s behind the rise of ATO? Murphy highlights three areas impacting the surge in ATO reports:
- Crimeware technologies are getting easier to use
- The majority of ATO attacks are done from a non-sophisticated attacker
- It's easy to purchase what you need to load into crimeware and perform a “spray and pray” attack
- The security response from companies with data are unable to keep pace
- New ecosystems are spinning up from ATO
- Crimeware automates the login validation process and builds a list; no scam needed
- Criminally owned ecommerce middleman shops purchase validated logins
Hacker access to data typically starts with a breach. Some company data asset containing usernames and passwords is compromised. Like other types of campaigns, a malicious person follows a series of steps:
- Obtain the data by buying it through a criminal community or obtaining the data through a hack. The actors that obtain this data are typically a little more sophisticated
- Crack the encrypted passwords or hash to create a combo list of usernames and passwords
- Import the combo list into a crimeware account checker tool
How can personal information that's been accessed by criminals help them enter your employer systems, asks Rettas? In general, enterprise credentials floating around the web can be significant and damaging to the business. “Engineers, developers, and the enterprise workforce typically have the same kind of password hygiene that your standard user might,” says SpyCloud’s Murphy. “They're not changing passwords very often.” Enterprise credentials sourced through a botnet indicates a malware infection, which is higher on the risk scale versus a breach of another service. If a bad actor can log into a streaming service provider’s back-end services as a company engineer, that could be absolutely devastating.
Whose Problem is ATO Fraud to Solve in the Enterprise?
“ATO fraud is everybody's problem and it’s a shared responsibility,” declares Murphy. There is some level of expectation that a user should have decent password hygiene and they should manage their identities accordingly. “But that doesn't mean they don't get any assistance from their enterprise,” he adds.
According to Murphy, the industry needs better tooling and better understanding, and in some cases, an overhaul of this concept of identity to be able to solve the problem.
Very rarely does an enterprise require multifactor authentication and often the burden for enabling it is placed on the user. “If an attacker wants to get into your account, they typically will,” quips Murphy. “The risk is there. But again, security is all about adding layers. And unfortunately, in the context of ATO, right now without overhauling this concept of identity, multifactor is typically the best that you get.” While multifactor does aid in helping to discourage attackers, it has not affected the value of an account that has two-factor authentication enabled.
Murphy recommends two areas for enterprises to invest in combating ATI fraud:
Establish visibility into your login flow: Proactive access into datasets that enable you to determine if a login is representative of suspicious ATO activity.
The decentralized identity: The concept of decentralized identity (also known as a self-sovereign identity) is like building a series of personas. You manage your digital identities and select what you want to share.
Promoting the Proactive Intelligence Organization
Proactive organizations tend to follow more data science practices and patterns, such as an ingest pipeline for multiple data sources that require classification. Reactive approaches only have visibility into your perimeter and into your organization. “You want to understand those outside threats to your business, to your vertical, and you want to understand how criminals operate,” says Murphy.
The Enterprise CISO and ATO Fraud May Be Forever Intertwined
The problem has been here for ages and will never entirely go away, notes Murphy. We are hearing more about ATO because of the media’s reach. “It can be solved, and it can go away, though it comes back to the concept of identity and how we operate today.” If the industry continues the standard operating processes, it won't go away. If we end up in a decentralized state leveraging the self-sovereign identity concepts, then that could solve the problem. “I don't see it going away anytime soon,” concludes Murphy.
Companies do not fully understand the impact of ATO on their ecosystem, observes Murphy. “We need to understand these communities and how they operate. What are the inputs and outputs of the criminal processes? If you can understand both of those, you get much better insight into how criminals are acting and what their trends are.”
Risk organizations tend to think in two ways: is this a perceived risk or an actual risk? For a long time, says Murphy, ATO fit into the perceived risk category. “We see the output of an ATO attack in the media almost every day. That doesn't necessarily affect that individual or that company. Until it happens to them, it's always a perceived risk.” However, ATO is actual risk to the enterprise and it should not be left out of the risk process.