Types of Account Takeover Attacks
Account takeover can be executed in multiple different ways, depending on the attacker’s end goal, resources, and scale.
Attackers execute credential stuffing by:
- Purchasing lists of leaked credentials (usernames and passwords)
- Testing combinations across different websites
Leaked credential lists vary in accuracy and quality, which are reflected in the price of the list on the dark web. Credential stuffing has a relatively high success rate because the usernames and passwords originate from a known source, plus many users select insecure passwords and reuse passwords.
Credential cracking occurs when attackers have access to a list of usernames, but not passwords. Attackers then search for the password using other tactics, including brute-force attacks, dictionary attacks, and phishing.
Email Account Takeover (Phishing)
Email account takeover, known as “phishing,” occurs when attackers leverage a list of email addresses without passwords. Attackers blast fake “phishing” emails to the list, often posing as a credible business, then trick recipients into clicking on fraudulent links. The link typically takes the users to a fake login page where they unwittingly enter their credentials. Phishing campaigns tend to target large lists with thousands of recipients, in contrast to spear phishing, which takes a more individualized approach.
Spear phishing is a more well-researched version of phishing that uses social engineering and background sleuthing to target individuals. Attackers send emails ostensibly from a known, trusted sender, which compels targets to share confidential information. For example, an attacker might use your email address to find your Facebook account, discover your brother’s name, then use an alias so the spear phishing email appears as a genuine message from your brother.
Call Center Fraud
Call center fraud is common in banking institutions in instances where attackers have lists of leaked usernames, passwords, and contact information. When trying to access bank accounts, the attacker will pose as a call center employee and call the account owner to verify PINs, security questions, or multi-factor authentication tests.
Back to Top