Rising Concerns for Account Takeover and PII Harvesting in 2023

CyberEdge Group just released the 2023 Cyberthreat Defense Report, an annual survey of 1200 IT security professionals in 17 countries across 19 industries. The report presents critical insights into the top threats that online organizations are facing and their plans to protect their web and mobile apps and APIs. Here are four key takeaways.

1. Credential stuffing and account takeover continue to be an area of concern

On a scale of 1-5 (with 5 being most concerning), respondents ranked account takeover (ATO) and credential stuffing at 3.95 — just behind malware at 3.96. If the trend continues, ATO is likely to be the leading cyberthreat of concern in coming years.

To protect against ATO and credential stuffing attacks:

• Proactively monitor compromised credentials actively being used in real-world attacks, and automatically disallow them from being used on your site.
• Leverage hidden and behind-the-scenes detection methods, such as honeypots and device challenges (proof of work).
• Adopt machine learning technology to detect and mitigate automated login attacks against your web and mobile apps and APIs.

2. Personally identifiable information (PII) harvesting is the #1 threat to web and mobile apps

PII harvesting was the top-rated threat against web and mobile apps this year.  Often PII harvesting involves embedding malicious code in vulnerable JavaScript that captures personal data — such as credit card numbers, credentials and other PII — when users fill out a form.

The JavaScript targeted in PII harvesting attacks runs on the client side, meaning it loads in users’ browsers outside typical web controls. Website owners lack complete visibility into these scripts, so attackers are often able to capture PII without detection — which they can use to access user accounts, strengthen phishing attacks, steal identities, and perform other malicious activities.

Proactively stop PII harvesting:

• Continuously monitor all client-side scripts for anomalous activity — such as behavior changes, communication with new network domains, or DOM modifications — which could leave the website open to PII harvesting.
• Establish content security policy (CSP) rules to stop malicious script injections from loading and to prevent data transfer.
• Enable granular JavaScript blocking to prevent specific actions without disabling the entire script, ensuring PCI and privacy compliance.

3. Identity is the top target of cyberattacks

In 2023, respondents expressed significant concern about PII harvesting, credential stuffing and ATO, carding, and digital skimming/Magecart. And those attacks have something in common: the theft and fraudulent use of identity information.

If cybercriminals can carry out attacks while hiding behind a legitimate user’s identity, the opportunities to commit fraud increase significantly. 

Prevent the theft, validation and fraudulent use of users’ identity information:

• Stay up-to-date on patch management to block use of known vulnerabilities in older versions of software that could be easily exploited to skim payment data and PII.
• Adopt a behavior-based bot management solution to detect and mitigate automated login and checkout attacks against your web and mobile apps and APIs.
• Continuously monitor behavior and authenticate users post-login to reduce the risk of account fraud.

4. Lack of security technology leads to competitive disadvantage

According to CyberEdge, “Attack surface reduction is one of those areas where you work harder and harder, but the task keeps expanding to offset your improvements.” But in response to PII harvesting, credential stuffing and ATO attacks, the adoption of security tools to manage these risks remains low.

Still, website decision makers are planning to get their web app security tech stack back on course. According to CyberEdge, "Bot management is not installed as often as the other applications in this sector, but new deployments are coming. It is the leader in planned acquisitions at 43.6%. Controlling traffic from bots is a priority because of their use in ransomware, spam, and DDoS attacks and other threats.” 

Bot management solutions help defend web and mobile apps and APIs from the many types of attacks that utilize bot networks, including credential stuffing, ATO, carding, content scraping and inventory hoarding.

Protect Your Online Business from Bot Attacks and Client-side Threats

The report found that “skilled personnel” and “low security awareness among employees” were the top barriers to establishing effective cybersecurity defenses — for the fourth year in a row. This presents an opportunity to leverage automation and machine-learning technology to protect your business without burdening your employees.

As the cyberthreat landscape continues to change, businesses must evolve their application security strategy and leverage technology to protect users’ account and identity information everywhere along their digital journey. Gathering insights from the 2023 Cyberthreat Defense Report is a great place to start. Contact us to learn how to protect yourself from bot attacks and client-side threats.