Intelligent CISO Issue 59 | Page 74

It ’ s important to recognise that an attacker does not have to have access to a victim ’ s email account or mobile phone to successfully carry out this type of attack .

ACCOUNT TAKEOVER FRAUD . . . AND HOW TO AVOID FALLING VICTIM

Anthony Daniel , Regional Director – Australia , New Zealand and Pacific Islands , WatchGuard Technologies , tells us how cybercriminals exploit victims through account takeover fraud and how to avoid it happening .

C ybercriminals target their victims in many different ways and one of the lesser-known methods is account takeover fraud ( ATF ).

ATF is not new , but it ’ s a tactic that is being used more aggressively . Back in 2018 , it caused estimated losses of around US $ 4 billion across the globe . During 2021 , this figure rose by more than 200 % and as of today it is estimated to be more than US $ 12 billion .
Anthony Daniel , Regional Director – Australia , New Zealand and Pacific Islands , WatchGuard Technologies
One of the methods used to mount such an attack is deceptively simple , yet the impact on a victim can be profound . It involves hijacking an account before a user has actually registered it .
For example , an attacker can create a new account on a service such as Dropbox or Zoom using a victim ’ s credentials that have been stolen from another source . When the user themselves attempts to create a legitimate account , they are told that one in their name already exists . They are prompted to reset the password ; however , the cybercriminal maintains access .
This type of cyberattack requires a number of factors to occur :
• The account must not have already been created by the user with the ID that is used .
• The cybercriminal needs to have acquired some form of legitimate user identification , such as an email address or a phone number .
• There must be a flaw in the setup process that allows an account to be created without needing to be verified .
It ’ s important to recognise that an attacker does not have to have access to a victim ’ s email account or mobile phone to successfully carry out this type of attack . There simply has to be no previous account on the service in the victim ’ s name .
There are a range of methods that cybercriminals can use to mount an account takeover attack . These include :
• Unexpired session ID attack : In these types of attacks , the cybercriminal generates a new

It ’ s important to recognise that an attacker does not have to have access to a victim ’ s email account or mobile phone to successfully carry out this type of attack .

74 www . intelligentciso . com