Major Australian fashion ecommerce website theiconic.com.au recently announced it would refund victims of an account takeover attack. The attack allowed fraudsters to order items using stored credit cards in the victims' accounts and have them sent to locations in Victoria.
The fraud caused reputational damage to The Iconic, with users taking to social media to complain about both the fraud and the difficulty of contacting support to report it.
The Iconic deserves credit for issuing refunds to affected users. That stands in stark contrast to the response to a similar recent attack at 23andme.com. While 23andme victims didn't suffer any monetary loss, the website's response was to change its terms and conditions and blame the victims for reusing passwords across sites. That same password reuse is what allowed users at The Iconic to be defrauded.
EDIT: Since writing this article major websites, danmurphys.com.au, binge.com.au and guzmanygomez.com have all been affected by similar credential stuffing attacks.
So why and how are these attacks carried out, and what can you do about it?
Why are Account Takeover attacks carried out?
Financial gain remains a primary motivator. Once they gain control of an account, attackers can make unauthorised purchases (as in the case of The Iconic), transfer funds, or access credit card details. eCommerce platforms, financial services, and any site with stored payment information are particularly vulnerable. Bypassing fraud controls is another major motivator. Many eCommerce stores will trust orders from an existing account with a history, allowing fraudsters to order goods with stolen cards.
Access to sensitive information is another goal. Personal data, confidential business information, or intellectual property can be exploited for various illegal purposes, including identity theft, selling data on the dark web (23andMe), or corporate espionage.
ATO attacks can also enable further malicious activity. Compromised accounts can be used to distribute malware, launch further attacks, or perpetrate scams. This can damage the reputation of the affected website, erode user trust, and lead to significant financial and legal repercussions.
How are Account Takeover attacks carried out?
Common techniques used to compromise user accounts on websites include:
Phishing: Phishing involves tricking users into revealing their login credentials. Attackers send emails or messages resembling legitimate communications from trusted entities, directing users to fraudulent websites where their details are captured.
Credential Stuffing: This method involves using previously breached username and password pairs to gain access to accounts on different websites. Because many users reuse passwords across multiple platforms, attackers can successfully breach accounts by trying these known combinations. Credential Stuffing is the type of attack used on both The Iconic and 23andMe.
Brute Force Attacks: Attackers use automated software to generate and try a vast number of username and password combinations until they find the right one to gain access.
Social Engineering: Beyond technical methods, fraudsters often use social engineering tactics to manipulate individuals into revealing their credentials. This can be through phone calls, social media interactions, or other personal contact methods.
What can users do about it?
Users can reduce the risk of their accounts being taken over by:
- Using a password manager to use strong, different passwords on different sites.
- Checking their commonly used emails on have I been pwned and, if listed, making sure the exposed passwords are updated.
- Making sure MFA (Multi Factor Authentication) is enabled if available on a website.
- Being alert to phishing attempts. Never follow links/call numbers in emails. Go to a site directly to login/look up phone numbers. If you receive a phone call asking for personal/login information always hang up and call back on an official company number to be sure you're talking to a legitimate company representative.
What can websites do about it?
Quite a bit. Websites can minimise the risk by:
- Enforcing strong passwords.
- Providing MFA options on log in forms to make account takeover more difficult.
- Checking logins against Have I been Pwned to alert users that their account might be compromised.
- Locking accounts after 3 or more failed attempts for a set amount of time.
- Emailing account holders when changes to an account happen, eg changes to email or delivery address.
- Preventing automated abuse of login forms, we'll go into more detail in the next section.
- Monitoring login attempts for suspicious activity, ie unusual amounts of attempts/failures and odd locations.
Preventing automated log in attempts
Credential stuffing and brute force account takeover attacks rely on trying many combinations of usernames/passwords to find valid logins. They rely on automated tools like openbullet to carry out these attacks. There are many techniques that can mitigate attacks of increasing sophistication. Some can be implemented on your server if you have the expertise, or at your CDN/WAF provider if you have one.
- Block attempts to log in over HTTP 1.1. This rule relies on the fact that most attackers will be using scripting/programming languages for their automation. All modern browsers will use HTTP 2 or higher, while scripts will use 1.1 by default.
- Block attempts with no/incorrect referrer header. To log in you have to visit a login page and fill out a form, automated scripts bypass the login page and POST straight to the login handler, more often than not the referring login page is missing in the request.
- Use Bot Management to detect automated attempts at logging in. Bot management services can use sophisticated techniques like network and browser fingerprinting and behavioural analysis, ie mouse movement/form access/speed, to determine whether the login attempt is human or a bot.
- Use Advanced Rate Limiting to limit log in attempts from a class of device. No bot management solution is foolproof, sophisticated attackers will use full browsers and rotate their IP address using residential proxies to get past protections. Traditional IP address based rate limiting is useless against these sorts of attacks. Advanced rate limiting can count attempts by the connecting program type to defeat attacks and generate alerts when an attack is happening.
- Use residential proxy detection to flag logins as a fraud signal.
Conclusion
Unfortunately 23andMe used the tactic of blaming the victims for reusing passwords. While offering MFA, they didn't enforce it, and clearly didn't enforce strong passwords. Further, while they had a major security vendor in place, that vendor was either ineffective, or not utilised properly. All up 14k accounts were compromised, and 7 million other accounts accessed via a sharing feature. That level of activity should have been caught much earlier unless the attacker was extremely sophisticated and patient, carrying out their attack over a long period of time. That amount of effort belies the claim by 23andme that the "the information that was potentially accessed cannot be used for any harm". Haven't they heard of Bond villains making genetic weapons...
The Iconic have the same security vendor as 23andme and don't offer MFA. Their automated prevention is weak (no bot protection and only IP based rate limiting which allowed for 300 attempts), which allowed the attacks to happen. Desperate users were notified of changes to their accounts, but couldn't get in touch with support to prevent the attackers using their stored credit cards. To their credit, The Iconic is refunding clients.
While no countermeasure is perfect at preventing Account Takeovers, the potential loss of reputation and damage to clients makes it imperative that website owners take practical steps to prevent them. While users also bear responsibility for securing their accounts, websites that hold sensitive information need to take every possible step to protect themselves and their users, not just wash their hands and blame the victims.
