ATO attacks increased 307% between 2019 and 2021

Sift released a report which details the evolving methods fraudsters employ to launch account takeover (ATO) attacks against consumers and businesses. The report details a sophisticated fraud ring that sought to overwhelm e-commerce merchants by innovating upon typical credential stuffing campaigns.

Specifically, the fraud ring, dubbed Proxy Phantom, used a massive cluster of connected, rotating IP addresses in carrying out automated credential stuffing attacks to hack user accounts on merchant websites. Using over 1.5 million stolen username and password combinations, the group flooded businesses with bot-based login attempts to conduct as many as 2,691 login attempts per second—all coming from seemingly different locations.

As a result, targeted merchants using rules-based fraud prevention methods would be forced to play a supercharged, global game of “whack-a-mole,” with new combinations of IP addresses and credentials (likely purchased in bulk on the dark web) coming for them at an unthinkable pace.

Account hacking explodes during pandemic

The report also revealed a staggering 307% increase in ATO attacks between April 2019—shortly after many COVID-19 stay-at-home orders were enacted—and June 2021. This attack method made up 39% of all fraud blocked on Sift’s network in Q2 2021 alone.

Fintech under fire

Sift’s network data uncovered significant ATO risk for the fintech and financial services sector and its users. ATO attacks against the fintech sector soared 850% between Q2 2020 and Q2 2021, mainly driven by a concentration on crypto exchanges and digital wallets, where fraudsters would likely try to liquidate accounts or make illicit purchases.

Additionally, 49% of consumers surveyed as part of the report feel most at risk of ATO on financial services sites compared to other industries—and with good reason. Of the ATO victims surveyed, 25% were defrauded on financial services sites, validating the public’s sentiment that these sites are some of the riskiest.

ATO attacks’ cascade of chaos

The report also paints a detailed picture of the ripple effects of ATO attacks on both businesses and consumers alike. Key findings include:

• Compromise breeds compromise: 48% of ATO victims have had their accounts compromised between two and five times.
• ATO leads directly to brand abandonment: 74% of consumers surveyed say they would stop engaging with a site or app and select another provider if their account was hacked on that site or app.
• The aftermath of an ATO attack: 45% of those who experienced ATO had money stolen from them directly, while 42% had a stored credit card or other payment type used to make unauthorized purchases, and 26% lost loyalty credits and rewards points to fraudsters. Perhaps most worrisome is 19% of victims are unsure of the consequences of their accounts being compromised.
• Waning trust in ecommerce: 20% of consumers surveyed feel less safe shopping online today than they did a year ago.

Defending against the fraud economy

“As the discovery of the Proxy Phantom fraud ring demonstrates, fraudsters will never stop adapting their techniques to overwhelm traditional fraud prevention, making suspicious logins look legitimate, and legitimate ones look suspicious,” said Jane Lee, Trust and Safety Architect at Sift.

“At the same time, poor consumer security habits—like reusing passwords for multiple accounts—make it easy and continue to breathe life into the Fraud Economy. To proactively secure customer accounts and fuel expansion into new markets, merchants need to adopt a Digital Trust & Safety strategy to stop these advanced attacks before they shatter consumer loyalty and stifle growth.”