Are you currently experiencing an attack?

Are you currently experiencing an attack?

ATO (Account Takeover) Attacks and How to Prevent Them

An account takeover (ATO) attack occurs when threat actors attempt to obtain the account credentials of legitimate users. Typically, once an ATO is successful, the perpetrators try to leverage it for monetary gains.

In this article, we’ll discuss:

  • How Does an ATO Attack Occur?
  • What Happens During an ATO?
  • What Damages Can They Cause?
  • How Can ATOs Be Prevented?
  • ATO Prevention by Reblaze

How Does an ATO Attack Occur?

There are several ways in which hackers can wage an account takeover attack. Here are some of the most common.

System Breach

A breach can occur due to vulnerabilities that either exist in the system or are inserted via malicious activities. Once inside the system, threat actors can gain access to credential data such as emails, account security questions and answers, usernames, and passwords.


A phishing campaign attempts to trick recipients into visiting false login pages, which capture whatever credentials are entered there.

Social Engineering

Hackers trick insiders into granting access to accounts, or performing other activities which enable the ATO to occur.

Credential Discovery

Hackers attempt to discover credential sets by using brute-force techniques. They use bots to attempt to access the target system, continually submitting potential credentials and noting the ones that are successful. The inputs might be randomly generated, or they could be based on lists of common words, names, and/or passwords.

Credential Stuffing

Credential stuffing is a variation of credential discovery, but instead of submitting random inputs, bots “stuff” credential sets that were stolen from other systems. These attacks often have a high rate of success, since many Internet users utilize the same credential sets across multiple sites.

What Happens During an ATO?

ATO attacks enable threat actors to freely move around digital environments, using credentials for numerous malicious activities. These will depend on the privileges that were gained and the accounts that were compromised. Overall, hackers can profit from ATOs in several ways; here are some of the most common.

Credential Trafficking

Attackers can sell stolen credential sets on the dark web. Purchasers then use them for their own illicit purposes.

Direct Monetization

Some types of accounts provide immediate revenue opportunities. For example, funds can be transferred out from financial accounts.

Indirect Monetization

Some types of accounts provide indirect opportunities for profit. For example, fraudulent purchases can be made from ecommerce accounts.

Other Attacks

Threat actors often steal data from one ATO for use in subsequent attacks. For example, email addresses can be harvested and used for phishing schemes or spam. Certain categories of Personally Identifiable Information (PII) can be stolen and used for identity theft.

What Damage Can ATO Cause?

Businesses with inadequate ATO prevention can suffer in numerous ways, including loss of reputation and customer goodwill, along with potential punitive fines from privacy regulators. Additional damages will vary by industry. For example, financial companies can suffer large losses of funds. Ecommerce retailers can lose money from products shipped to the thieves, along with payment chargebacks from the unhappy customers whose accounts were compromised and used for the fraudulent purchases.

ATO attacks have become very common. For example, a 2019 Proofpoint report examined takeover attempts targeting cloud email accounts. During six months, the researchers reviewed G Suite and Office 365 cloud accounts, monitoring over 100,000 unauthorized logins. Threat actors targeted more than 2% of the monitored active user accounts. Fifteen out of every 10,000 active user accounts were successfully breached.

How Can ATOs Be Prevented?

There are a number of security measures that can help protect against account takeovers.

One vital element is employee training. Threat actors often try to trick, manipulate, or force employees into revealing credentials or sensitive data. Training can help ensure employees know how to recognize these schemes and are not tricked into becoming insider threats.

A second best practice is to implement multi-factor authentication (MFA). This prevents account access unless multiple login factors (i.e., more than just a set of credentials) are available.

A third is encryption: encrypting data at rest and in transit. This can dramatically lower the impact of ATO attacks, because encrypted data will be worthless to an attacker.

These three practices are necessary, but insufficient. For complete protection, a robust web security solution must be in place. It must include ATO prevention features such as:

  • ACLs (Access Control Lists): these lists can block attacks originating from known-hostile traffic sources according to their IPs, ASNs, and so on. For example, in the cloud email attacks mentioned earlier, 40 percent of the successful breaches originated from Nigeria; this traffic could, and should, have been easily detected and blocked.
  • Rate Limiting: This will block ATO attacks such as credential stuffing and credential discovery—any malicious activities which rely upon a large volume of access attempts.
  • Hostile Bot Management: Most ATO attempts rely on bots. Robust bot management can prevent these attacks from succeeding.
  • Access Anomaly Detection: A sophisticated security solution can recognize and intercept abnormal activity. If, for example, repeated login attempts occur hundreds of miles away from a user’s typical geolocation, these attempts can be blocked and an alarm can be generated.
  • Machine Learning and UEBA (User Entity Behavioral Analytics): The Anomaly Detection mentioned above is one example of a broader capability: constructing behavioral profiles of legitimate users, so that divergent activity of any variety (not just ATOs) can be detected and blocked.

Account Takeover Prevention by Reblaze

Reblaze is a comprehensive web security solution that includes all the above ATO protection features, along with a next-generation cloud WAF, DDoS protection, API security, and more. For more information or to get a demo, contact us.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.