1 The Challenge
The most common types of password-based attacks are:
Account Takeover (ATO)
Account Takeover Fraud (ATO) occurs when fraudsters gain unauthorized access to a user’s personal accounts using stolen usernames and passwords or credential stuffing attacks to execute unauthorized transactions. Other methods of account takeover fraud include malware attacks, such as man-in-the-middle and man-in-the-browser schemes, as well as the deployment of remote access tools through Trojans or via social engineering scams.
Brute-Force Attacks
A brute-force attack is a type of password attack where attackers use trial-and-error to guess login info and gain access. Tools for brute force attacks simply try all possible combinations of characters until the correct one is found. Attackers often use automated tools that can send thousands of authentication requests per second, significantly increasing the chances of guessing a weak password.
Credential Stuffing
In this attack, cybercriminals use stolen account credentials (usernames and passwords) from a breach at one organization or online service to access accounts at other organizations or services. This method exploits the common practice of using the same password across multiple sites. In addition, cybercriminals often use bots or automation to hit multiple sites with many username / password combinations from password breaches found or purchased on the dark web.
Man-in-the-Middle (MITM) Attacks
These attacks involve a type of interception while data is in transit. An attacker positions themselves in a conversation between a user and an application - either to eavesdrop or to impersonate one of the parties, making it appear that a normal exchange of information is taking place. Examples of MITM techniques involve targeting unsecured Wi-Fi hotspots, DNS spoofing, ARP spoofing, forging certificates, and SSL/TLS stripping. Man-in-the-browser attacks may involve Trojans with keylogger or rootkit malware that can bypass TLS encryption. The goal is to steal personal information, such as login credentials, account details, or credit card numbers.
Phishing Attacks
These are attacks on users via email, social media, voice calls and voicemails, and SMS texts. These generally are attempts to get users to hand over credentials and personal information or make monetary transfers. Many criminals are leveraging artificial intelligence (AI), specifically forms of AI based on large language models (LLMs), to write more convincing messages to increase their chances of success. This makes it harder for individuals to discern whether these messages are legitimate or not.