Published: April 10, 2024
Reading time: 12 minute read
Written by: Forter Team

By Gunnar Peterson, CISO

Criminals rob banks because “that’s where the money is,” and for many years, that same logic led digital commerce companies to focus their protection on checkout. As the value of customer accounts has increased and expanded in diverse ways with stored payment methods, loyalty programs, special offers and more, fraudsters have shifted their time, resources and attention to attacking accounts. 

The amount under attack has increased for many digital commerce sites, too. Across Forter’s network, comparing pre-pandemic to the end of 2022, the average order value of items in ATO attacks increased by 51%. It didn’t decrease after that, and many industries even had slight growth. Accounts are valuable.

This guide gives fraud, infosec, and digital commerce leaders, and any team tasked with defending accounts, visibility into the top 10 attack trends in 2024 and how to mitigate them.

1) Authentication Flaws

Authentication guards the “front door” of sites, and much like with physical security, once a malicious actor is past the door, it’s much harder to identify them and ensure they don’t do any harm. This is particularly pertinent as, recently, criminals have started incorporating authentication processes into their attack methods, turning what should have been protection into an additional vulnerability.

Threat Description

Account takeover (ATO) attackers target weak authentication as a means to spoof the identity of a legitimate account by finding weak authentication controls. Once a vulnerability has been found, attackers often employ bots to enable exploitation at scale. When login is not hardened, it is open to a range of attacks. These can include:

  • Brute force attacks
  • Password guessing
  • Password reuse
  • Password caching weaknesses
  • Malware that attempts to either steal credentials or map digital fingerprints
  • Social engineering attacks targeting Multi-Factor Authentication (“MFA fatigue”)

How to Defend

Organizations should consider a range of protection upgrades, including:

  • Velocity checking for login attempts, limiting the amount of retries per account
  • Velocity checking by IP address
  • Strong password controls, such as NIST 800-63b guidelines
  • Locking/disabling accounts when necessary
  • Strong variants of Multi-Factor Authentication
  • Dynamic friction at login — e.g., MFA used only for cases of doubt (in Forter’s experience, around two-thirds of MFA challenges fail, and the rest are not deterred from shopping)
  • Passwordless and/or Passkeys

2) Use of Stolen Credentials

Often, the simplest way for an attacker to use an account is to simply log in. This can be accomplished by acquiring stolen credentials for a wide variety of sources due to account breaches, infostealing malware, and data leaks.

Threat Description

The availability of credentials for sale on the most popular stealers markets increased by 145% between 2022 and 2023. Many marketplace types exist for attackers to identify, verify, and buy valid accounts:

  • Github repositories
  • Dark web forums and marketplaces
  • Credential reuse across software supply chain

The average cost of these accounts continues to decline, which means that this problem will likely worsen.

How to Defend

Defenders should protect accounts from stolen credentials along two broad capabilities — strengthening protection and improving detection. In addition to the strong authentication techniques mentioned above, detection capabilities include:

  • Implement device fingerprinting to link sessions to known good and known bad devices
  • Network/graph-enabled behavioral analysis to identify suspicious activities and block in real-time
  • Scanning sources like GitHub and the Dark Web for leaked credentials
  • Rotating credentials

3) Credential Stuffing Attacks

Credential stuffing attacks are automated attacks that take advantage of the reality that many consumers reuse email and password combinations. As one example, Magecart has been a widely known type of malware used for this type of attack.

Threat Description

These attacks can be built off of any number of data breaches where usernames and passwords are leaked. The attackers can try combinations across a range of popular digital commerce and SaaS sites to find a match where the user uses the same password. These attacks can be more difficult to detect when delivered “low and slow.”

Bots are particularly popular in credential stuffing attacks.  As many as 95% of credential stuffing attacks involve bots.

How to Defend

Any of the guidance to strengthen authentication can help fortify authentication servers against credential stuffing attacks; in addition to these defenses, consider:

  • Device fingerprinting to identify if the user is a bot or a human
  • Velocity checking based on IP and/or behavior
  • Bot detection and mitigation services

4) Naive Account Creation Hygiene and Validation

Faking account creation allows an attacker to create a fraudulent account that may be considered legitimate by the system. An attacker often leverages a naive account creation system to exfiltrate value, but there are other uses for this weakness as well. 

Threat Description

There are many possible variants here, including:

  • Duplicate account creation
  • Wholly fake information
  • Synthetic identity — combining real identity information with fake (increased by 35-45% over the last 18 months)
  • Bot-created identity

How to Defend

  • Identity proofing — validate account information against authoritative sources
  • For stronger controls, consider device fingerprinting to eliminate bot and malicious actors and biometrics (see NIST 800-63A)

5) Malicious Account Updates

Once a malicious actor has gained access to an account, they can adapt the account in various ways to support a fraudulent or criminal scheme. Malicious account updates are typically carried out as the mid-term stage in a more extended operation, with the steps around gaining access to the account being the initial stage and the monetization aspect the final one.

Threat Description

Some malicious account updates may be passive, such as when a bad actor intentionally enters an account several times over a set period to acclimate the account (and the systems that protect it) to a new IP address or device fingerprint. Other updates may be active. Examples of active malicious account updates include:

  • Changing the contact information so that the bad actor receives communications from the account
  • Adding a method of MFA controlled by the malicious actor
  • Changing the shipping address so that the bad actor receives goods ordered — including goods ordered by the real customer
  • Adding a stolen payment method, which can then be used to make purchases 

How to Defend

  • Treat account updates as a potential vulnerability
  • Analyze users’ behavioral profiles for anomalies compared to past activity
  • Use digital fingerprinting to ensure a match with not just previous access but previous occasions of legitimate account updates
  • Employ identity graphs to identify suspicious parallels between activities/profiles in other accounts
  • Be willing to step up MFA or other dynamic friction to confirm identity when appropriate

6) Exfiltration of Value

Within digital commerce, the purpose of account-related attacks is typically ultimately monetization. (Theft of data, disruption of activities, etc., may play a role but are rarely the main goal.) The key challenge for malicious attackers is, therefore, how to achieve the exfiltration of value without attracting suspicion.

Threat Description

Malicious actors may attempt to exfiltrate value from an account as money, goods or services. Money is usually attempted through the purchase of gift cards or similar mechanisms. Goods are purchased using stolen payment methods and sent to addresses controlled by the bad actor. Services are occasionally used as part of a wider scam (e.g., design services to create a website for a fake business or online ad services to promote a scam) but are usually sold on to unsuspecting customers at a “discount.” Note that with goods and services, one extra step, that of reselling, is required for monetization. Mechanisms used as part of an attempt to exfiltrate value include:

  • Add stolen payment method to hacked account to purchase gift cards
  • Add stolen payment method to hacked account to purchase goods, having changed the shipping address in this account
  • Use loyalty points in hacked account to make a purchase (accounts with loyalty programs attached are 4-5 times more likely to be targeted by fraudsters)
  • Transfer loyalty points from a hacked account to an account with a different business (though loyalty program shared benefits networks)
  • Set up an account using fake details and stolen payment methods to make purchases
  • Add stolen payment method to purchase services that are resold to (sometimes multiple) customers

How to Defend

  • Ensure checkout is protected by analysis of both the explicit data being used and the cyber/digital footprint and behavior of the user
  • Make sure your system is constantly looking for new patterns in behavior across your site, including as performed by apparently unconnected accounts
  • Protect loyalty points and programs to the same extent you protect other forms of cash value, including at checkout
  • Be willing to step up MFA or other dynamic friction to confirm identity when appropriate
  • Consider adding delays for how quickly gift cards can be employed after purchase

7) Low-Value Transaction Attacks

Sometimes referred to as the “attack by a thousand paper cuts” approach, some malicious actors aim to fly under the radar by only attempting very low value transactions, but returning repeatedly to do so. 

While this sounds relatively harmless, not only can the amounts become significant if the attack is permitted at scale, but successful low-value transactions can sometimes make an account or user look legitimate, paving the way for larger-value transactions afterward if the problem is not identified. Low-value transactions still incur fees from payment processors and count towards chargeback ratios, meaning that if attacks involving them are ignored, the cost to the company can come from more than one direction. 

Threat Description

Some systems ignore or strongly deprioritize the analysis of low-value transactions and, relatedly, the identification of malicious actors associated with them. This is often left from times when teams relied heavily on manual review, and so, of necessity, strict prioritization of transaction review was required to ensure a reasonable balance between protection and customer experience. Low-value transactions were, in a sense, not worth reviewing. This attitude has influenced how some companies approach low-value transactions even now that automation has outdated the initial reasoning.

One key challenge of identifying low transaction attacks is that they may employ any of a range of account-related attack methods. Malicious actors employing a low-value transaction attack may employ:

  • Bots to increase the scale of the attack with ease
  • Credential stuffing or password spraying for ATO or fraudulent account creation (see Account Threats 2, 3 and 4)
  • Attacks using multiple accounts
  • Attacks of multiple low-value transactions using a single account
  • Either multiple stolen payment methods or multiple transaction attempts using the same payment method
  • The attempt to use the payment method belonging to a hacked account

How to Defend

  • Ensure that low-value transactions are treated as a potential threat vector by your systems
  • Flag repeated low-value transactions within a given period, even from different accounts
  • Have your systems automatically look for connections between the users behind low-value transactions within a given period, particularly if an unusual velocity is observed
  • Make sure your bot protection is active both at checkout and login
  • Put cross-departmental collaboration in place internally to ensure any campaigns or deals involving low-value transactions are communicated to the fraud team ahead of time to enable appropriate preparation

8) Lateral Movement

Lateral movement threats are focused on “and then what?” post-compromise that allows an attacker to move vertically (deeper) into a given system and/or roam horizontally into systems that are connected to customer-facing systems. The potential for unintended consequences due to this connectivity is high.

Threat Description

Lateral movement threats are usually an N+1 consequence of a successful attack, such as a post-account takeover. Attackers will maximize initial access to gain access beyond the account’s intended privileges, and this could include:

  • Accessing a help desk, IT system
  • Accessing source code
  • Using social engineering to implant phish messages to gain admin privileges
  • Takeover business-critical systems

How to Defend

  • Identity static credentials and, where feasible, replace them with dynamic credentials through a rotation process
  • Harden account-adjacent systems where an attacker could use initial access to gain a foothold in related systems, such as limiting access based on segmentation role-based access control
  • Ensure that customer-facing processes such as IT, Help Desk, and Customer Support systems use multiple factors to authenticate communications
  • Ensure administrative accounts are not segmented from customer accounts

9) Triangulation

Malicious actors using a triangulation method leverage an account to place orders they have shipped to other people. Those people usually think they have made a purchase via a social media page, marketplace seller or messaging app. In fact, this is run by the bad actor, who fills the orders using stolen payment methods.

Threat Description

Triangulation is notable for the extent to which it can operate at scale. A malicious actor that has developed a successful model for triangulation will typically have a number of ongoing operations, and when one is closed down, shift focus to others and keep creating new accounts to keep going. As part of a triangulation attack, a malicious actor will:

  • Open an account to ship goods to multiple locations
  • Employ stolen payment methods
  • More rarely, hack an account to leverage its good reputation
  • Use account handover — when a malicious actor pays for access to a previously legitimate account

How to Defend

  • Ensure your system automatically flags when a single account is ordering goods to multiple addresses within a given timeframe that would be unusual for your business
  • Have friction in place to protect scenarios in which multiple payment methods are being used by or tied to a single account
  • Be willing to step up MFA or other dynamic friction to confirm new addresses in case of ATO
  • Track access to accounts so that if a new user accesses an existing account, it has additional oversight to make identification of account handover easier
  • If possible, use resources or third parties to research platforms such as Facebook groups and Telegram channels used for triangulation, and flag when your site or app is mentioned

10) Good Customer, Cheating Intent

Top trends in account threats largely come from professional malicious actors. However, bad behavior carried out by customers who are otherwise legitimate and often using their own identity is also increasing as a trend.

Threat Description

Customers who are normally good customers sometimes “cheat” the system. This is often seen by setting up multiple accounts, usually to take advantage of promotions, discounts or generous returns policies. Most companies consider a small amount of this behavior acceptable, and a sign of strong brand engagement, but this abuse can be very costly at scale. Commonly attacked areas include:

How to Defend

  • Ensure basic lines of defense are in place against the simplest tricks even when real customers use them, e.g., setting up accounts with almost duplicate emails from the same IP and/or name, deleting one account and instantly setting up a new identical one, etc.
  • Distinguish between, on the one hand, the malicious/legitimate distinction and, on the other, an analysis of individual customer behavior that can be employed to flag abuse
  • Determine your business “red lines” — at what point is cheating too much?
  • Ensure your anti-abuse policies are in line with company goals and established in collaboration with relevant departments and stakeholders
  • Have situation-sensitive analysis; some customers only cheat during the holiday periods, for example, so protection is only required in their cases during that season
Forter Team on Account Protection
12 minute read