Account Takeover Attacks: An Overview

It’s a fact of life: web applications are inherently insecure. To protect your corporate information assets, your network, and your customers, the most important thing you can do is to protect your web applications. And the biggest threat to web apps today is the Account Takeover (ATO) attack, according to the Verizon 2016 Data Breach Investigations Report.

Cyber-criminals target web applications because they recognize the opportunity for financial gain in the sensitive information they can harvest from apps that are not secure. According to Verizon, 95 percent of ATO attacks (through which hackers gather account usernames and passwords) are believed to be financially motivated.

It’s critical for your organization’s DevOps team and security engineers to understand exactly how ATO attacks work so the organization can develop an effective plan to deflect these attacks and safeguard customer and employee data. Let’s break down the anatomy of a typical ATO attack.

A Two-Phased Attack Requires a Comprehensive Defense

To succeed in an ATO attack, the hacker must obtain a token, which is either a user’s session or a user’s password. Armed with either, the attacker can impersonate an innocent victim.

Hackers obtain these sessions or passwords in the first phase of the attack: the token gathering phase. Once the tokens have been gathered, the attacker can sell them for profit or use them for further penetration into a corporate network, to commit fraud, and more. As these accounts are used, the ATO attack enters its second stage: token usage phase.

The following illustrates how each phase of the attack can be carried out:

A successful, comprehensive defense against ATO attacks needs to quickly and comprehensively address both phases. Unfortunately, commonly used legacy web application security technologies such as Web Application Firewalls (WAFs), which were designed for broad-brush protection from external threats, are ineffective against targeted attacks on specific code vulnerabilities in web apps.

WAFs examine traffic to and from an application by monitoring for known and predefined signatures. The majority of these signatures are generic, so they cannot protect against sophisticated attacks such as ATO attacks.

Monitoring for more specific signatures quickly becomes a maintenance nightmare, however, because these signatures need to be updated every time the application is updated. If this doesn’t happen, the rules break and valid users and paying customers will find themselves unable to access critical applications.

RASP: The Only Comprehensive Defense Against ATO Attacks

Runtime Application Self-Protection (RASP) is an emerging web application security technology that doesn’t require complex skillsets to implement and manage. Best of all, RASP solutions provide the only solution that addresses both phases of ATO attacks.

With RASP, your organization gains real-time protection for web apps, and by extension, for critical user account data. RASP builds security directly into applications, monitoring user activity and implementing proactive defensive measures such as rate limiting, IP access control, and captchas.

RASP solutions help organizations safeguard against session farming and brute-force attacks with stolen credentials, issuing alerts when someone tries repeatedly to log into a user account as an administrator, detecting stolen accounts, and providing geo-fencing of legitimate login credentials.

When attacks are detected, with RASP, you can monitor the behavior of the attacking IP address and erect defenses around your app, halting exploitation of the vulnerability in real time.