DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Account Takeover Attacks: An Overview

Account Takeover Attacks: An Overview

It’s critical for your organization’s DevOps team and security engineers to understand exactly how ATO attacks work so the organization can develop an effective plan to deflect these attacks and safeguard customer and employee data. Let’s break down the anatomy of a typical ATO attack.

Goran Begic user avatar by
Goran Begic
·
Sep. 23, 16 · Opinion
Like (1)
Save
Tweet
Share
4.07K Views

Join the DZone community and get the full member experience.

Join For Free

hacking.jpg

It’s a fact of life: web applications are inherently insecure. To protect your corporate information assets, your network, and your customers, the most important thing you can do is to protect your web applications. And the biggest threat to web apps today is the Account Takeover (ATO) attack, according to the Verizon 2016 Data Breach Investigations Report.

Cyber-criminals target web applications because they recognize the opportunity for financial gain in the sensitive information they can harvest from apps that are not secure. According to Verizon, 95 percent of ATO attacks (through which hackers gather account usernames and passwords) are believed to be financially motivated.

It’s critical for your organization’s DevOps team and security engineers to understand exactly how ATO attacks work so the organization can develop an effective plan to deflect these attacks and safeguard customer and employee data. Let’s break down the anatomy of a typical ATO attack.

A Two-Phased Attack Requires a Comprehensive Defense

To succeed in an ATO attack, the hacker must obtain a token, which is either a user’s session or a user’s password. Armed with either, the attacker can impersonate an innocent victim.

Hackers obtain these sessions or passwords in the first phase of the attack: the token gathering phase. Once the tokens have been gathered, the attacker can sell them for profit or use them for further penetration into a corporate network, to commit fraud, and more. As these accounts are used, the ATO attack enters its second stage: token usage phase.

The following illustrates how each phase of the attack can be carried out:

Risks Token Gathering Token Usage 
Sessions
  • Farming/cracking
  • Cross-site scripting
  • Phishing/malware
Attacker uses stolen session to impersonate victim and take over their session
Credentials
  • Purchase via darknet
  • Bruteforcing
  • Credential stuffing
  • Phishing/malware
Attacker uses password to log in as victim

A successful, comprehensive defense against ATO attacks needs to quickly and comprehensively address both phases. Unfortunately, commonly used legacy web application security technologies such as Web Application Firewalls (WAFs), which were designed for broad-brush protection from external threats, are ineffective against targeted attacks on specific code vulnerabilities in web apps.

WAFs examine traffic to and from an application by monitoring for known and predefined signatures. The majority of these signatures are generic, so they cannot protect against sophisticated attacks such as ATO attacks.

Monitoring for more specific signatures quickly becomes a maintenance nightmare, however, because these signatures need to be updated every time the application is updated. If this doesn’t happen, the rules break and valid users and paying customers will find themselves unable to access critical applications.

RASP: The Only Comprehensive Defense Against ATO Attacks

Runtime Application Self-Protection (RASP) is an emerging web application security technology that doesn’t require complex skillsets to implement and manage. Best of all, RASP solutions provide the only solution that addresses both phases of ATO attacks.

With RASP, your organization gains real-time protection for web apps, and by extension, for critical user account data. RASP builds security directly into applications, monitoring user activity and implementing proactive defensive measures such as rate limiting, IP access control, and captchas.

RASP solutions help organizations safeguard against session farming and brute-force attacks with stolen credentials, issuing alerts when someone tries repeatedly to log into a user account as an administrator, detecting stolen accounts, and providing geo-fencing of legitimate login credentials.

When attacks are detected, with RASP, you can monitor the behavior of the attacking IP address and erect defenses around your app, halting exploitation of the vulnerability in real time.

Web application Application security

Published at DZone with permission of Goran Begic, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Select ChatGPT From SQL? You Bet!
  • Express Hibernate Queries as Type-Safe Java Streams
  • Stream Processing vs. Batch Processing: What to Know
  • How To Check Docker Images for Vulnerabilities

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: