Blog / Account takeover , Fraud analytics , Link analysis , Machine learning

How does a fraudster take over a genuine account?

Account takeover is a growing form of fraud, but how does it actually work? Ravelin Protect expert Katrina explains how fraudsters manage to successfully do an account takeover. Unfortunately, it’s a lot easier than you might think!

How does a fraudster take over a genuine account?

There are a few different ways fraudsters can gain access to a genuine account, and how they choose to do it will largely depend on the potential reward. Malware or phishing is the most targeted and sophisticated method. These both require a lot of effort, and therefore are more likely to be used against banks or services with a more significant payout.

Online merchants are more likely to see low-cost and low-effort attacks using credential stuffing - which is far easier to do at a larger scale for a smaller payout across multiple victim accounts. To understand why this can be so easy for fraudsters, it’s important to understand trends around password reuse and data breaches.

Password reuse and data breaches

Nowadays, the average person has over 100 accounts that require passwords. The problem with so many accounts is that we have to remember the passwords for all of them. This means a lot of people just reuse one or two passwords, sometimes making simple variations but often just relying on exactly the same password to keep their accounts safe.


In fact, two in three of us reuse the same password across multiple services. Password reuse becomes problematic when combined with data breaches. Unfortunately, data breaches are alarmingly common and often include things like usernames, passwords and sometimes even secret answer information - you can scan through the haveibeenpwned Twitter feed to get an idea of how common breaches are (there were 8 reported in September alone). There are also many breaches we are not aware of yet or that just never make it into the news.

Data breaches involving credentials can then be used to target other online services because there is a good chance that if someone does have an account elsewhere, they’ve used the same password. This is most commonly done using credential stuffing.

How credential stuffing works

Credential stuffing uses stolen username and password combinations to automate login requests in order to gain access to user accounts. A fraudster can use a compiled list of credentials (often called a ‘combo list’) with an automated tool like Sentry MBA, Storm or Blackbullet to target logins on other online services. More sophisticated fraudsters may have their own script instead of relying on automated tooling but the overarching method is more or less the same.

The automated tool basically just takes username and password combinations and runs them against a login. This is a bit like having thousands of keys in a bag and trying all of them on the front door of a house (except with credential stuffing you are much more likely to have the right ‘key’ because of password reuse).

Credential stuffing

Generally, the automated tools or script will then return a list of successful credential combinations to the fraudster. This means they can get a list of accounts they can access with minimal effort - all they need is a combo list of credentials and some basic configuration (e.g. what URL should be targeted, what proxies to use etc.). Some scripts will also check if there is a card or any credit on the account so attackers know more about the potential value of the account.

How fraudsters stay under the radar

Once the fraudster is inside, they have access to the genuine customer’s positive history and trust they have built up with the seller, which makes it more difficult to detect fraudy behavior. Therefore, the best point to detect account takeover is at login - so fraudsters take steps to make their logins look as genuine as possible.

Fraudsters can use proxies or botnets to make it look like the login attempts are coming from a variety of sources instead of a single attacker. They can choose popular login times to mimic normal traffic - such as targeting mealtimes to login to a food delivery service. Automated tools are available to allow fraudsters to get around things like CAPTCHA challenges.

All this means that unfortunately, committing account takeover using scripts or automated tools for credential stuffing is easy for would-be fraudsters - there are countless youtube videos explaining how to do it as well as active cracking forums that offer advice, tooling and combo files of credentials.

This makes it so important to have a specific account takeover solution to protect your customer accounts from this threat. This monitors different behavior patterns especially at login to the standard account takeover fraud detection for typical card-not-present fraud.

To learn more about how account takeover works, check out the insights page here.

Related content