Blog / account takeover

What do fraudsters do after they take over an account?

Once a fraudster has compromised an account, what can they do with it? We look at the data behind account takeover attacks...

What do fraudsters do after they take over an account?

Account takeover (ATO) happens when a fraudster gets access to a genuine customer’s account. Fraudsters can easily buy login details online, and often use a process called credential stuffing to try multiple login and password combinations against popular merchant websites.

Once a fraudster has compromised an account, what can they do with it? There are a range of options available:

  • Make fraudulent orders using saved or stolen card details
  • Use loyalty points or account credits
  • Sell the confirmed account
  • Extract the customer data to sell

To learn more about how fraudsters monetize compromised accounts, we analysed data from ATO attacks against food delivery businesses.

Here’s what we found:

71% of ATO attacks resulted in the attacker placing an order

We found that for food delivery ATO attacks, the primary method for monetizing the account was to place an order. This is likely to be heavily influenced by the type of business we are analysing; food delivery is likely to appeal to a certain type of attacker, like the Hungry Fraudster.

We found that when an attacker does place an order, they make 3 to 4 orders on average, with around a 50% success rate. Of the 29% of attacks which didn’t result in an order, this could be because something stopped them, such as the customer spotted a change on their account and contacted the merchant. It’s also possible that the attacker may have monetized the account in another way, such as resale or extraction of customer data to be sold online.

46% of attacks included orders placed to a city/region different from the customer’s previous order

For food delivery businesses, speed of delivery is super important and it’s not unusual for customers to order deliveries to different addresses. Although changing delivery addresses can be an indication of ATO, it’s also common for genuine customers to order food to a new delivery address. This shows how challenging it can be to differentiate ATO activity from normal customer behavior, and why analyzing a combination of indicating factors is key.

10% of attackers changed the email address, while 48% changed the phone number

Our analysis showed that attackers were more likely to change the phone number on the compromised account than the email address. This may be because food delivery services often send an SMS text message to the customer to alert them that an order has been received or is on the way. The fraudster changing the phone number would stop the genuine customer getting this alert and contacting the merchant to cancel the order.

It’s also common for delivery drivers to use the account phone number to get in touch with the customer when they are attempting delivery. Fraudsters don’t always use their true address, to avoid it being blacklisted by a merchant - therefore they may contact the driver to arrange the drop off somewhere else.

Additionally, this could also be due to the widespread use of SMS one-time passwords for authentication. If the use of a new address or unusual activity triggers an authentication request, the fraudster would be able to falsely authenticate with their own phone number without alerting the customer or the merchant.

In around 15% of attacks the phone number on the account was changed twice or more - suggesting that fraudsters may use temporary phone numbers.

Applying the data to your ATO strategy

Similar to online payment fraud, ATO is specific to the merchant based on the industry and products/services they offer.

These patterns reflect the speed of delivery and ease of changing delivery location when ordering from food delivery merchants. A luxury goods merchant may see very different behavioral trends, such as unusually high orders, or sudden activity on multiple dormant accounts. Therefore, it’s important to analyse multiple data points including login rates, account changes and linked devices, as well as analysing attacker behavior after the account has been compromised. To learn more about account takeover visit our insights page here.