Highlights

  • In this edition of our “Protect Yourself” series, we will look at the different techniques hackers use to steal your data in an account takeover (ATO) attack.

  • ATO attacks occur when criminals gain unauthorized access to user accounts. These security breaches can cause the loss of funds and confidential information.

  • By knowing the different methodologies that hackers use in these types of attacks and by following fundamental security principles, users can better protect themselves against such attacks.

Nowadays it is more important than ever that you protect your login credentials from potential hackers. We live in a digitized world where most of people's sensitive information is stored online. In particular, account takeover (ATO) attacks have become a very common methodology that hackers use to steal digital assets. These attacks can lead to identity theft, financial loss, and reputational damage.

ATO attacks are carried out by cybercriminals who gain unauthorized access to user accounts, typically using stolen login credentials obtained directly from the victims themselves or through negotiations with other criminals.

In this post of our “Protect Yourself” series, we will delve into the different types of ATO attacks to learn in detail how attackers steal login credentials and strategies to prevent such incidents.

How attackers steal login credentials

Hackers use various tools and strategies in their attempts to access user accounts. Recognizing the different types of ATO attacks is essential as it can greatly help users monitor and take appropriate security measures against such threats.

Classifying ATO attacks is not a simple task because each attack is unique and categories often overlap. However, these are some of the most recognized forms of ATO attacks.

Brute force attacks

In brute force attacks, hackers systematically attempt to guess various combinations of a user's login credentials, most often usernames and passwords. Generally, automated software is used that generates various combinations at high speed.

The central idea of ​​a brute force attack is to resort to trial and error in order to access accounts without authorization. They are called brute force because hackers try again and again to force access. Some of the most common types of brute force attacks are:

  • Simple brute force attacks: Attackers attempt to guess the user's login credentials without the intervention of specialized software. Despite its simplicity, this method can be effective with weak passwords or inappropriate password usage. In some cases, hackers are able to guess credentials with minimal searching (for example, finding out the city in which a user was born to answer this commonly chosen security question).

  • Dictionary attacks: Criminals attempt to gain unauthorized access to a user's account by systematically trying out words or phrases from a predetermined list known as a “dictionary.” These dictionaries contain commonly used passwords, phrases, or patterns, making it easier for the attacker to guess the correct combination before using a manual trial and error method.

  • Password spraying: Unlike typical brute force attacks that attack a single account with multiple attempts, password spraying focuses on the opposite, attacking multiple accounts at once. For this reason, they are also often referred to as “reverse brute force attacks.” To avoid triggering security mechanisms, the attacker typically tries only a few passwords per account.

Attackers typically compile a list of valid usernames or email addresses associated with user accounts. They then test a selection of frequently used or weak passwords (for example, “password123” or “qwerty”) on all collected accounts. In some cases, the attacker may already know a password (i.e. due to a security breach) and use it to search for matching login credentials.

  • Credential stuffing: Criminals collect stolen login credentials and test them on many other websites in order to gain access to other user accounts. For example, the hacker uses the username and password he stole from a user's account in an online game on other platforms, for example, on social networks, online banks or digital exchanges. This type of brute force attack takes advantage of users' misuses of security protocols, such as reusing passwords or username combinations for multiple accounts on different platforms.

Criminals can also combine more than one type of brute force attack. A very common case is when a hacker combines a simple brute force attack with a dictionary attack, that is, starting with a list of potential words and then trying combinations of characters, letters and numbers to guess the correct password. By combining these two methodologies, the aim is to ensure that the attempts have a greater probability of success.

Social engineering attacks

Social engineering attacks rely on recognized patterns of human psychology and social interaction. Hackers use deceptive or manipulative tactics to force users to reveal their login credentials or other sensitive information. Typically, the criminal first investigates the victim, gains their trust, and finally tricks them into revealing their information.

The most common types of social engineering techniques used in ATO attacks are:

  • Baiting: Attackers falsely promise a good or service to trap their victims and steal confidential information. These attacks could be carried out in the physical world (for example, using an infected pen drive) or online (for example, by tricking victims into clicking on a malicious link with the false promise of being able to obtain free digital assets).

  • Scareware: Criminals bombard victims with fake security threat alert messages to make them think their system is infected with malware. They then ask users to purchase or download unnecessary or even dangerous software to fix the supposed problems, but in reality, they have already fallen into the trap. A fake antivirus is a very common form of scareware. While it is supposed to be a service that should combat malware, ironically, this is the malware itself.

  • Phishing: Criminals send fraudulent messages, typically from fake profiles posing as trusted entities, to trick users into revealing sensitive information, such as login credentials or other sensitive data. In a phishing campaign, attackers often send the same message to multiple users. Therefore, they are usually easier to detect through servers with a threat intelligence platform.

  • Spear phishing: This is a more targeted and sophisticated form of phishing in which criminals specifically tailor their tactic to a particular individual or organization. The attacker conducts extensive research on the victim before creating a deceptive email or message that is persuasive and personalized to lure users into the trap and reveal sensitive information. Being highly personalized, spear phishing attacks are more effective and have a higher probability of success.

Malware attacks

In situations that fall into this category, attackers use malicious software (malware) to gain unauthorized access to user accounts or systems. The attacker's goal is to trick their victim into downloading and installing malware, usually through social engineering techniques. Once installed, malware will work silently in the background to infiltrate a system or network and cause damage, steal sensitive information, or take control of the system.

Some of the malware most commonly used by ATO attackers include the following:

  • Viruses: By infecting local files, viruses spread to other computers by attaching themselves to legitimate files. Viruses perform various operations, including damaging, deleting or modifying files, destroying operating systems, or delivering harmful code on specific dates.

  • Computer Worms: Similar to viruses, worms self-replicate and spread across computer networks rather than affecting local files. They often congest a network or crash systems.

  • Trojans: Trojans appear to be harmless software, however, they run in the background stealing data, allowing remote access to the system or waiting for an attacker to issue a command.

  • Ransomware: Used to encrypt files on the victim's computer until a ransom is paid to the attacker.

  • Adware: This type of malware shows ads to users while they browse the Internet. These ads may be unwanted or malicious, as part of a social engineering attack. They can also be used to track user activity and possibly compromise your privacy.

  • Spyware: They silently monitor and collect information about the victim's activities, such as the number of clicks, website visits, or login credentials. The spyware then sends this information to the attacker. Your goal is to collect as much sensitive information as possible before being detected.

  • Remote Access Tools (RATs): RATs allow attackers to access and control the victim's device remotely. Generally, they do this through indirect access together with a Trojan.

API attacks

Application programming interfaces (APIs) are sets of protocols or tools used to create software applications and allow third-party systems to connect to users' online applications. An API attack occurs when an attacker exploits security flaws in an API-enabled application to steal users' login credentials or other sensitive information.

API attacks can be carried out in many different ways, including:

  • Injection attacks: These consist of inserting malicious code into an API call to execute actions without authorization or steal data.

  • Man-in-the-middle (MiTM) attacks: These involve intercepting communications between parties and manipulating data transmitted between applications through an API.

  • Denial-of-service (DoS) attacks: Flooding an API with requests to cause it to crash or become unavailable.

  • Corrupt access controls: Criminals take advantage of flaws in an API's authentication or authorization mechanisms to gain unauthorized access to sensitive data or functionality.

  • Session hijacking: This involves the theft of a valid session ID from the user and is used to access an API with the same authorization level.

Strategies to avoid ATO attacks

The impact of ATO attacks can be significant for both businesses and their users. For individuals, consequences can include financial loss, identity theft, and reputational damage. For businesses, an attack can result in data breaches, financial losses, regulatory fines, reputational damage, and loss of customer trust.

Therefore, it is very important to have strategies to avoid ATO attacks. Both individuals and organizations must adopt robust security measures and practices.

Individual measures to prevent ATO attacks

Individuals are recommended to adopt the following practices:

  • Enable multi-factor authentication (MFA) whenever available to add an extra layer of security. On Binance, users can enable up to 4 types of MFA: email verification, phone number verification, Google or Binance Authenticator, and biometric authentication.

  • Use strong, unique passwords for each account, combining upper and lower case letters, numbers, and special characters. Avoid using information that can be easily guessed, such as names, birthdays, or common phrases. One of the biggest reasons why ATO attacks are so popular today, mainly brute force attacks, is that weak passwords are still used. It is also recommended to update passwords regularly and avoid reusing the same passwords on multiple accounts.

  • Frequently review online accounts and transactions for any suspicious activity and immediately report any unusual activity to the website or service provider.

  • Avoid clicking on suspicious links or opening unexpected email attachments, as these could be phishing attacks. Always verify the identity of the sender and review the content of the email before taking any action.

  • Keep devices up-to-date with the latest security patches and use reliable security software, such as antivirus and anti-malware programs, to protect against threats.

  • Keep personal information private and do not overshare personal information on social media or other online platforms, as attackers can exfiltrate information and guess passwords or answers to security questions, or even create personalized phishing attacks.

  • Avoid logging into sensitive accounts from public Wi-Fi networks, as attackers can intercept data. Use a reputable VPN service to encrypt your Internet connection for when using public networks.

  • Set up secure recovery options for accounts, such as alternate email addresses and phone numbers, and keep them up to date. This can be used to regain access to accounts in the event of unauthorized access.

  • Research and stay informed about the latest security threats and learn best practices to protect accounts and personal information. Stay up to date on how to protect yourself online to best avoid potential attacks.

Measures to prevent account takeover attacks at the organizational level

Organizations can apply the following strategies to prevent ATO attacks and protect their user accounts from unauthorized access:

  • Enforce a robust password policy, meaning users should be required to create strong, unique passwords, as well as establish minimum password length and complexity level requirements. Implement policies that periodically require users to update their passwords and not use the same passwords across different accounts or services.

  • Implement multi-factor authentication (MFA) for all user accounts, especially those that have access to sensitive data and those with administrative privileges.

  • Frequently track user activities and monitor unusual behavior, for example, unusual login times, logins from different locations, or frequent failed login attempts. Use advanced analysis and machine learning algorithms to detect possible account takeover attempts.

  • Implement measures to lock user accounts after a certain number of consecutive failed login attempts, with a specified suspension period before the account can be unlocked.

  • Provide ongoing security training for employees to recognize and report potential phishing attacks, social engineering attempts, and other threats that could lead to account takeover.

  • Ensure all devices used by employees are protected with up-to-date antivirus and malware software, and update policies are enforced for operating systems and applications with the latest security patches.

  • Conduct regular audits and assess security vulnerabilities to identify potential security flaws in the organization and address these issues in a timely manner.

At Binance, user security is our priority and we invest significant resources to ensure we implement every measure on this list, and many more.

What to do if your credentials are compromised

If your login credentials have been hacked, it's important to take immediate action to protect your accounts and sensitive information. Here are some steps you can take to mitigate the damage and avoid further danger:

  • Change your passwords: The first and most important step is to change the passwords of all affected accounts.

  • Contact service providers: If login credentials for a particular service were stolen, contact the service provider and report what happened. They will surely take steps to help you protect your account.

At Binance, user safety is one of our top priorities and we do everything we can to ensure your safety. If you suspect your Binance account has been compromised, please contact Customer Support immediately.

  • Consider monitoring your credit: If you believe your personal information, such as your social security number or credit card information, may be at risk, consider signing up for a credit monitoring service so you can be notified of any suspicious activity. in your accounts.

It's important that you act quickly and follow these steps as soon as you realize that your login credentials may have been stolen.

Protect

Keeping your login credentials safe is essential to safeguarding your digital assets. By understanding the different types of ATO attacks, how attackers steal login credentials, and strategies to prevent these attacks, both users and businesses can take proactive steps to stay safe. Implementing robust password protection policies, multi-factor authentication, continuous monitoring, and risk assessment can help prevent ATO attacks and keep digital assets secure.

Binance security experts continually monitor suspicious behavior on the platform and improve security protocols accordingly. When users report an ATO attack, we rigorously analyze the case and extend our support to affected users.

While Binance makes every effort to ensure the security of your account, it is very important that you are responsible for your own security. By considering the precautions mentioned in this article, you can protect your sensitive information and reduce the risk of falling victim to an ATO attack. If you suspect your Binance account may be compromised, please contact Customer Support as soon as possible.

Further reading

  • Protect yourself: What are account takeover attacks?

  • Protect your Binance account in seven easy steps

  • Learn about scams: warning signs to recognize scams perpetrated by impostors

Legal Notice and Risk Warning: This content is presented “as is” for general information and educational purposes only, without representation or warranty of any kind. It should not be construed as financial advice nor is it intended to recommend the purchase of any specific product or service. Digital asset prices are volatile. The value of an investment may go down as well as up, and it may be the case that the user does not recover the amount invested. Only the user is responsible for his or her investment decisions. Binance is not responsible for any losses that users may incur. This should not be construed as financial advice. For more information, please see our Terms of Use and Risk Warning.