The Iconic is the latest Account Takeover victim in the news
Major Australian fashion ecommerce website, theiconic.com.au, recently announced they would be refunding victims of an account takeover attack. The attack allowed fraudsters to order items using the stored credit cards in the victim's account and have them sent to locations in Victoria.
The fraud led to major reputational damage to The Iconic, as users took to social media to complain about both the fraud, and the difficulty in contacting support at the company to notify/complain about it.
The Iconic deserves credit in issuing refunds to affected users, this stands in stark contrast to the response to a similar recent attack at 23andme.com. While 23andme victims didn't suffer any monetary loss, the website response was to change its terms and conditions and blame the victims for resusing passwords across sites. This reuse of passwords is also what allowed the users at The Iconic to be defrauded.
EDIT: Since writing this article major websites, danmurphys.com.au, binge.com.au and guzmanygomez.com have all been affected by similar credential stuffing attacks.
So why and how are these attacks carried out, and what can you do about it?
Why are Account Takeover attacks carried out?
Financial gain remains a primary motivator. Once they gain control of an account, attackers can make unauthorised purchases (as in the case of The Iconic), transfer funds, or access credit card details. eCommerce platforms, financial services, and any site with stored payment information are particularly vulnerable. Bypassing fraud controls are another major motivator, many eCommerce stores will trust orders from an existing account with a history, enabling the fraudsters to order goods with stolen cards.
Access to sensitive information is another goal. Personal data, confidential business information, or intellectual property can be exploited for various illegal purposes, including identity theft, selling data on the dark web (23andMe), or corporate espionage.
ATO attacks also enable further malicious activities. Compromised accounts can be used to distribute malware, launch further attacks, or perpetrate scams. This can damage the reputation of the affected website, erode user trust, and lead to significant financial and legal repercussions.
How are Account Takeover attacks carried out?
Here's an overview of the common techniques used to compromise user accounts on websites:
Phishing: Phishing involves tricking users into revealing their login credentials. Attackers send emails or messages resembling legitimate communications from trusted entities, directing users to fraudulent websites where their details are captured.
Credential Stuffing: This method involves using previously breached username and password pairs to gain access to accounts on different websites. Since many users reuse passwords across multiple platforms, attackers can successfully breach accounts by trying these known combinations. Credential Stuffing is the type of attack used on both The Iconic and 23andMe.
Brute Force Attacks: Attackers use automated software to generate and try a vast number of username and password combinations until they find the right one to gain access.
Social Engineering: Beyond technical methods, fraudsters often use social engineering tactics to manipulate individuals into revealing their credentials. This can be through phone calls, social media interactions, or other personal contact methods.
What can users do about it?
Users can prevent their accounts being taken over by:
- Using a password manager to easily use strong, and different passwords on different sites.
- Check their commonly used emails on have I been pwned and if listed make sure that the exploited passwords are updated.
- Make sure MFA (Multi Factor Authentication) is enabled if available on a website.
- Be alert to phishing attempts. Never follow links/call numbers in emails. Go to a site directly to login/look up phone numbers. If you receive a phone call asking for personal/login information always hang up and call back on an official company number to be sure you're talking to a legitimate company representative.
What can websites do about it?
Quite a bit, websites can minimise the risk by:
- Enforce strong passwords.
- Providing MFA options on log in forms to make it more difficult.
- Checking logins against Have I been Pwned to alert users that their account might be compromised.
- Locking accounts after 3 or more failed attempts for a set amount of time.
- Email account holders when changes to an account happen, eg changes to email or delivery address.
- Preventing automated abuse of login forms, we'll go into more detail in the next section.
- Monitoring login attempts for suspicious activity, ie unusual amounts of attempts/failures and odd locations.
Preventing automated log in attempts
Credential stuffing and brute force account takeover attacks rely on trying many combinations of usernames/passwords to find valid logins. They rely on automated tools like openbullet to carry out these attacks. There are many techniques that will mitigate attacks of increasing sophistication. Some can be implemented on your server if you know how to, or at your CDN/WAF provider if you have one.
- Block attempts to log in over HTTP 1.1, This rule relies on the fact that most attackers will be using scripting/programming languages for their automation. All modern browsers will use HTTP 2 or higher, while scripts will use 1.1 by default.
- Block attempts with no/incorrect referrer header. To log in you have to visit a login page and fill out a form, automated scripts bypass the login page and POST straight to the login handler, more often than not the referring login page is missing in the request.
- Use Bot Management to detect automated attempts at logging in. Bot management services can use sophisticated techniques like network and browser fingerprinting and behavioural analysis, ie mouse movement/form access/speed, to determine whether the login attempt is human or a bot.
- Use Advanced Rate Limiting to limit log in attempts from a class of device. No bot management solution is foolproof, sophisticated attackers will use full browsers and rotate their IP address using residential proxies to get past protections. Traditional IP address based rate limiting is useless against these sort of attacks. Advanced rate limiting can count attempts by the connecting program type to defeat attacks, and to generate alerts an attack is happening.
- Use residential proxy detection to flag logins as a fraud signal.
Conclusion
Unfortunately 23andMe used the tactic of blaming the victims from reusing passwords. While offering MFA, they didn't enforce it, and obviously didn't enforce strong passwords. Further, while they had a major security vendor in place, that vendor was either ineffective, or not utilised properly, All up 14k accounts were compromised, and 7 million other accounts accessed via a sharing feature. That level of activity should have been caught much earlier unless the attacker was extremely sophisticated and patient, carrying out their attack over a long period of time. That amount of effort belies the claim by 23andme that the "the information that was potentially accessed cannot be used for any harm". Haven't they heard of Bond villains making genetic weapons...
The Iconic have the same security vendor as 23andme and don't offer MFA. Their automated prevention is weak (no bot protection and only IP based rate limiting which allowed for 300 attempts), which allowed the attacks to happen. Desperate users were notified of changes to their accounts, but couldn't get in touch with support to prevent the attackers using their stored credit cards. Laudably The Iconic is refunding clients.
While no counter measure is perfect at preventing Account Takeovers, the potential loss of reputation and damage to clients makes it imperative that website site owners take all possible steps to prevent them. While users also bear responsibility for securing their accounts, Websites that hold sensitive information need to take every step possible to protect themselves and their users, not just washing their hands and blaming the victims.