new favorite target of fraudsters

Digital identity is an important resource today, including for financially motivated malicious actors.

According to a recent study by Verizon, 61% of data breaches are due to compromised credentials. It’s a common tactic among fraudsters: by using third-party credentials, they avoid detection while collecting stolen information and data, allowing them to carry out further fraudulent transactions.

If access control is a fundamental tool for systems defense, it has its limits. Attackers are constantly trying to get around these account access barriers, often targeting login and payment paths. Therefore, many organizations today are investing in anti-fraud technologies to detect and mitigate the impact of these attacks.

However, fraudsters’ tactics are equally effective when they target identity systems, such as systems for provisioning, device management, enrollment, and password recovery. These systems, which are the basis of access control, are becoming a prime target for fraudsters.

More and more expert scammers

Historically, fraudsters used credentials available on the dark web – compromised by data leaks or breaches – without knowing if these accounts had any value. They also lacked accurate information to observe the behavior of real users, to avoid detection when accessing illegal accounts.

Today, ransomware groups such as LockBit, Avaddon, DarkSide, Conti, and BlackByte rely on initial access brokers (IABs) to buy data from vulnerable organizations on dark web forums. These brokers have seen their popularity grow in recent times as they make it easy and affordable to purchase credentials. This shows how the business acumen of dark web fraudsters continues to improve.

An increase in identity-related attacks

Recent attacks and extortion attempts, such as those targeting Okta and Microsoft, illustrate the extent of the damage account takeover (ATO) attacks can cause. This type of attack is now the first choice for many fraudsters, with a recent study showing they have increased by 148% between 2020 and 2021. Ransomware group Lapsus $, for example, performed all of their ATO attacks using stolen credentials. These groups continue to buy compromised data and prefer those with access to the source code.

While all online accounts are vulnerable to ATO attacks, malicious actors naturally pursue primary targets, such as bank accounts or loyalty accounts, that have monetary value and contain stored payment information. Like Lapsus$, these fraudsters typically use automated tools, such as botnets, to launch ongoing attacks (such as credential stuffing or brute force attacks) against high-value targets.

Fraud tactics also include phishing, call center scams, man-in-the-middle attacks (MITM), and a technique known as clickfarms, which use other malicious actors to manually enter credentials to bypass automatic login detection tools. . These methods allow fraudsters to take things to the next level, greatly increasing their chances of acquiring personal information that can be used to illegally access user accounts.

Multi-level access control is no longer enough, make way for identity-based defense systems

Historically, access control implements authentication and authorization services to verify identities. Authentication identifies users, authorization determines what they should be able to do.

While these services were once considered a good first line of defense against identity-based fraud, they can now be easily circumvented. Fraudsters are constantly trying to infiltrate organizations’ systems at the intersection of security and usability. However, this does not mean that defense tools should do the same. Just making systems very secure or easy to use would make the other attribute more vulnerable.

Organizations therefore need a second level of security. An automated and robust damage detection and mitigation solution must be deployed to block increasingly sophisticated and dynamic attack methods.

One option would be to focus on management tools that can collect billions of consumer personas and behavioral traits. This would allow security teams to identify unusual user behavior in real time, including automated bot activity. By using tools that use machine learning algorithms that can “learn” user behavior, organizations can recognize fraud tactics throughout the identity lifecycle, including account provisioning and maintenance. This protects the data before it is compromised and sold to the highest bidder.

Ultimately, to defeat dynamic cybercriminals, companies must think like their primary enemies and employ systems that can prevent their customers’ identities from falling into the wrong hands.