Fraudsters have long favored Account Takeover (ATO) schemes, constantly innovating to evade detection. Forter’s analysts have recently discovered a clever new tactic in this ever-evolving landscape, and we’re sharing the details to help retailers bolster their defenses.
Account Takeover ‘Lite’
When fraudsters break into an online commerce account, there are many different ways they can leverage their access:
- Make a purchase using the payment method stored in the account
- Make a purchase leveraging the good reputation of the account to make it less likely a stolen payment method will be noticed
- Use loyalty points in the account to make a purchase
- View the personal information in the account and use that as part of a broader attack elsewhere
- Learn from past purchases that can be viewed to be able to mimic typical purchases
One of the challenges of ATO, for almost any of these attack variants, is the need to change the shipping address to enable the fraudster to get their hands on the items they’re ordering. To get around this, they may visit the account multiple times over a period of time, normalizing their presence and details and changing the shipping address long before they attempt a purchase. This requires quite an investment in the attack.
In this ‘lite’ version of ATO, fraudsters skip a lot of the process and simply change the shipping address. They don’t investigate the details of the account or its history, and they don’t even attempt a purchase. Their presence in the account is such a light touch that you might miss it if you’re not looking for it.
What’s clever about this is that the fraudster can simply wait for the genuine customer to return to the site. If the customer doesn’t check the address – which is the case more often than you might think – the goods are purchased by the legitimate customer in a transaction approved by the fraud department (because all the signs match the legitimate customer). The package then goes to the address provided by the fraudster.
ATO ‘Lite’ In Action
This trick appears to be popular with a particular fraud ring at the moment. One apparel retailer protected by Forter has seen over 100,000 attack attempts of this type in about three months.
Of the attacks, roughly 5,000 accounts had the customer going in to purchase after the address had been changed — which, if not caught, would have represented about $500,000 in loss to the retailer. These numbers are significant; it’s absolutely worth watching out for in your business as well.
This attack is a great example of why protecting and examining every aspect of the customer journey is so important. A focus on checkout would not catch these attacks because a legitimate customer makes the purchase with good intentions – the trickery has all happened beforehand.
To prevent this sort of attack, both login protection and examination of actions taken within accounts are essential. Fraudsters know this – and they know that not every retailer takes these measures. If you’re in a company that doesn’t take them yet, it may be time to change practice.
Fraud Rings Targeting Addresses as a Vulnerability
In late 2022, Forter started seeing a fraud ring experimenting with different ways of manipulating the address input of the checkout page. Our Trust Platform identified and blocked these attacks quickly during this early trial phase of the fraud ring and, as a result, had stopped seeing them by early October. Many retailers, however, were hit by a wave of attacks from this group during the holiday season of 2022. They caused such chaos that they became known as the Master Manipulators.
There isn’t enough evidence yet to confirm that the fraud ring trying out address manipulation now is the same one that tried it a year ago. Still, it’s certainly worth considering it as a possibility as there are some notable similarities:
- The attacks Forter has observed all attempt to ship to addresses within the U.S., but the addresses are very dispersed throughout the states
- Similarly, address manipulation tricks are often used as part of ATO lite, such as using ‘0’ for ‘o,’ writing out numbers, or using non-ASCI characters
- The fraud ring may well be operating from a very similar part of the world as the Master Manipulators
- The timing of the attack is also similar to the trial period used last year by that group
Does it matter whether it’s the same group? Not exactly, other than for the interest of investigative zeal … except that it means it might be even more worth protecting against than it would otherwise. In 2022, the address manipulation attack scaled fast and furious during the holiday period. If there’s a chance that might be headed toward digital commerce again this year, it’s best to be prepared and protected well ahead of time.
Regardless, this feather-light ATO trick is worth watching out for because your business will bear a heavy cost if you don’t catch it.
