Account Takeover: Why criminals can’t resist

We rely on passwords to safeguard those precious accounts that allow us to conduct much of the business of life in cyberspace. Our finances, personal information, and sensitive documents are stored in the cloud, locked behind these sets of alphanumeric and special characters. They’re prime targets for cybercriminals who conduct fraud and account takeover (ATO). 

According to Verizon’s 2020 Data Breach Investigations Report, over 80 percent of breaches related to hacking involved brute-force cracking or the use of lost or stolen credentials. Credential lists are widely sold and traded on cybercriminal forums and marketplaces, and full accounts for various services can be bought for even a few dollars.

So what is ATO? Literally, just what it sounds like. An attacker gaining access to a user’s account. Traditionally, this can mean an e-commerce or financial account, which is then used to conduct fraud. Of course such accounts are valuable to attackers, but a wide range of other online services are targeted, from streaming and cable TV subscriptions to VPNs and adult websites. 

Our newest research paper From Exposure to Takeover goes over all this and more. 

Acquiring credentials

In most cases, a successful ATO requires first acquiring stolen credentials. Attackers can do this by hacking into a company and stealing a database containing credentials, but there are four slightly easier methods we explore in this section:

  1. Harvest your own
  2. Buy credentials
  3. Rent credentials
  4. Use freebies

Harvest your own: phishing, exploits, and malware

Credential-stealing malware and phishing campaigns are not the focus of this research, but we would be remiss not to mention them. Numerous types of trojans and keyloggers have this express purpose, and new pieces of malware surface regularly.

Many credential harvesters target banking credentials, in large volumes―they can be highly lucrative and are in high demand on underground marketplace sites. Credential harvesters use a combination of techniques to acquire victim’s details, including man-in-the-browser attacks, which use code injection techniques to inject form fields into the user’s banking website. These fields intercept the victim’s credentials directly from their online banking portal. They’re sent to the attackers, who monetize them directly (via fraudulent transactions) or, more commonly, sell them to other threat actors seeking freshly stolen credentials.

While we’re on the subject of stealing credentials: We’ve also seen some criminal advertisements for domain administrator accesses (login details, credentials or sensitive files from an organization or individual’s machine, used to access systems/infrastructure, data, bank accounts, and/or other accounts). This takes the conversation from “simple” account compromise to complete network compromise, and we’ve seen these accesses sold or auctioned for an average of $3,139 and up to $140,000. The data may not always be valid, but just the concept of a large corporation or government network administrator’s access being sold on criminal marketplaces is, to say the least, unnerving. 

Selling Access to Corps
A user initiates the sale of corporate network data on Exploit

Privileged accounts, like administrator accounts, are considered extremely valuable in the criminal underworld. Not only do they give access to a network, but they feature the highest levels of control and trust, and their permissions are nigh unlimited. A person using a privileged account could change system configuration settings, read and modify sensitive data, or give other users access to critical assets. 

Advertisement for domain administrator
Advertisement for domain administrator access for a cybersecurity company on Exploit

We found domain administrator-access ads with descriptions including “petrochemical company,” “cybersecurity company,” “architecture and engineering company,” “petroleum company,” “big university,” and various state governments. Some vendors also mention the number of machines on the network, the number of employees, the site’s Alexa ranking, any intellectual property or sensitive documents on the system, and whether any trusts are available, to give buyers an idea of the value of the access.

Average Price of Listings

Going out to tender: account sales

Another, somewhat more straightforward, option to acquire credentials is just buy them on a cybercriminal marketplace. With Digital Shadows (now ReliaQuest)’ Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection)™, we gathered hundreds of marketplace advertisements for accounts over the past two and a half years across nine active and defunct dark web marketplaces.

Across all these platforms, the average cost of a single account was $15.43. Unsurprisingly, banking/financial services accounts made up most of the listings and were, on average, the most expensive: $70.91. Account accesses for antivirus programs came a distant second place, averaging around $21.67. All other types of accounts were, on average, just under or significantly below $10. Some can even be had for under $2, like file-sharing or video-game accounts. 

In addition to being expensive, banking and other financial accounts are rife―accounting for 25 percent of all the access advertisements we observed. This makes sense; when you compromise someone’s bank account, you have direct access to all their funds, plus any sensitive personal information tied to that account. Many of the bank account listings we saw claimed to include the victim’s United States social security number, their physical address, their birthdate, and answers to security questions. 

Even though the average cost of one banking account was just under $71, we saw some going for upwards of $500. The price can be influenced by many factors: If it’s confirmed to have a certain amount of funds, if it has personally identifiable information (PII) attached, and its age (older accounts tend to be cheaper). Many higher-priced advertisements advertise “drop” accounts, meaning they can be used to facilitate money laundering or cash-out schemes. 

In terms of geography, United States-based accounts were advertised most frequently on criminal forums and marketplaces, followed close behind by Canada, Australia, the United Kingdom, and Germany. Cybercriminals very likely perceive North American accounts as being the most profitable. And in terms of non-financial accounts, the second and third most advertised were for streaming and proxy or VPN accounts: comprising 13% and 12%, respectively. 

Frequency of account listings

The listings we observed fit into the 11 categories shown in Figure 6. Many of the categories are for services that can be quite pricey if purchased legitimately. Would you rather pay $10 a month for yet another streaming service, or pay $5 for lifetime access?1 Additionally, accounts for adult websites offer other added benefits, considering that buyers may not want their real names or financial information associated with these services.

In any case, account accesses are relatively cheap. This is probably, at least partly, because of two main factors:

1 By “lifetime” we actually just mean the time it takes for the account owner to realize their account has been compromised. This can be days, weeks, months, years, or never. 

  1. Buyers have no guarantee that their purchase will grant them access in the long run; login details could become invalid at any point. Caveat emptor.
  2. Vendors can obtain the account accesses cheaply and efficiently (and even automated), so they can sell them at low prices. Typically, they’re obtained using techniques such as credential stuffing (more on that later). But many are also byproducts of another crime, allowing them to be sold at low prices or even shared for free.
bank account access advertised on Empire
Bank account access advertised on Empire
VPN account advertised on Empire
VPN account advertised on Empire
Streaming access advertised on Empire
Streaming access advertised on Empire

Renting tools: The rise of fingerprint markets

A happy medium between harvesting your own credentials and purchasing stolen credentials is renting account access. We’ve been closely following the emergence and subsequent rise of certain markets for this kind of service, like Genesis Market, which we first identified in April 2018.

These markets have their own injects and botnets harvesting credentials. But rather than buying a credential, you can rent an identity for a given period for less than $10 (with prices increasing depending on the type of access). The market also collects browser fingerprint data (such as cookies, IP addresses, time zones) from victims, making it considerably easy to perform ATO and transactions that go unnoticed. 

Genesis Market listings to rent account identities
Genesis Market listings to rent account identities

Although other markets have since emerged as contenders, such as UnderWorld Market (formerly RichLogs) and Tenebris, Genesis Market retains its crown, being the most popular. In Figure 11 you can see how it dominates discussions about fingerprinting, with 65 percent of references across criminal markets. 

Discussion related to fingerprint services

Making use of free: Sharing is caring

Although a threat actor could buy or rent account access, they’d be passing up an awful lot of credentials being shared for free on certain cybercriminal forums. A significant amount of Digital Shadows (now ReliaQuest)’ technology and closed-sources resources are devoted to finding these credentials, so you don’t have to. Databases of breached credentials are commonly shared for free on these forums; after someone posts a hashed data set, other forum users work on dehashing it and then post the plaintext passwords as a database. 

To date, we’ve discovered 15 billion-plus credentials, stemming from more than 100,000 discrete breaches. Of these credentials, more than 5 billion are unique. 

Users of Russian-language cybercriminal forums like Exploit and XSS often freely share credentials for entertainment services with other forum members. These can range from individual credential pairs to files containing thousands of valid accounts. 

XSS user shares account credentials for popular streaming service
XSS user shares account credentials for popular streaming service, free of charge

These free accounts are typically limited to music and video streaming services, because:

A. Cybercriminals don’t want to pay for their own streaming, and/or

B. Cybercriminals obtain many accounts as byproducts, so they may sell the valuable goods (e.g. an expensive set of banking credentials) and share any leftovers for free (e.g. streaming credentials).

How very thoughtful.

Streaming-account credentials shared for free on RaidForums

Whatever the motive for their “philanthropy”, cybercriminals are building a sense of community on the forums they use―which is one of the critical determiners of a forum’s overall success. The more forum users feel an element of camaraderie with their fellow users, the more likely they are to stick around, if not just for the free streaming accounts. We wrote about this in greater detail in our research paper The Modern Cybercriminal Forum

Exploit user shares free account credentials for a popular streaming service

So now that we’ve shared a few examples of what happens with stolen credentials, how are these actually obtained? Part 2 of this blog series will go over some examples of the tools cybercriminals use to gain access to your accounts.

If you can’t wait that long, go ahead and download our full, in-depth report, When Exposure Becomes Takeover

Don’t miss out on our on-demand webinar, where the authors take a deep dive into the research, check out the recording here: