Account Takeover: The Bane of E-CommerceAkamai's Smith on Why Simple Attacks Have a Surprising Success Rate
E-commerce sites face an ongoing fraud battle: Their login forms are constantly hit by bots using stolen credentials to try to take over accounts.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Michael Smith, Akamai's security CTO for Asia-Pacific and Japan, has seen this war escalate since 2012. That year, there were about 35 e-commerce Akamai customers within his region reporting this kind of attack, he says. But the attacks have escalated in the past four years, with as many as 135 organizations dealing with such attacks in countries including South Korea, Vietnam, Malaysia, Indonesia and Japan.
Although this kind of attack was first seen mostly against U.S. and U.K. retailers, "because those guys are good at defending themselves, they've moved to smaller targets," Smith says.
How it Works
The attackers collect account credentials from phishing schemes. They then use lists of stolen credentials and load them into "account checkers," which are simple, automated scripts - usually written in PHP - to test them out on a wide range of sites.
It's a much more effective method that to try to brute-force passwords, which could be slowed down by rate-limiting password guesses. The hackers capitalize largely on the fact that most people don't use different passwords for different web services.
"They know they have the seed information," says Smith, who gave a presentation at the AusCERT conference near Brisbane on May 25. "So they have about a success ratio of one in 12, which is pretty good from an attacker's perspective."
Large data breaches, such as the one most recently revealed by LinkedIn that divulged more than 100 million credentials with weak, SHA1 password hashes, fuel the attacks.
"We actually will see a corresponding increase in account takeover activity based on a database dump like that," he says.
The hackers frequently target a variety of non-cash instruments, such as prepaid gift cards and loyalty card points, which can be sold for cash at a discount or traded. Even groceries stores have been hit, with attackers going after stored loyalty points that are held in online accounts.
"They could take these vouchers, download them and trade them basically as cash," Smith says.
Account takeovers can be especially lucrative if a customer has stored their credit card with the retailer for purchases. The attackers can continually buy more vouchers.
How to Fight Back
The attacks can be tricky to shut down without inconveniencing legitimate customers. The account checkers are usually run through proxy servers, which can be blocked. But over time, the attackers have changed their strategy and now quickly rotate to new proxy servers in order to avoid triggering a block, Smith says.
So what can e-commerce sites do? There are several signs that an account takeover campaign may be underway. For example, one of the first things hackers do is to change the email address of a victim. Patterns can often be detected in the new email addresses, such as unlikely domain names, Smith says.
Shipping addresses are also usually changed. E-commerce companies can check their customer databases to see if many accounts have suddenly been changed to the same shipping address, a sign of a mass account compromise.
Smith also recommends that retailers don't assign a username that is the same as a person's email address. Instead, some retailers now assign a loyalty rewards number as a username rather than an email address.
"That reduces the usability of that account across multiple websites," Smith says.