Financial credentials offer second-largest payoff in account takeover attacks

A woman is silhouetted against a projection of a password log-in dialog box.
Stolen account credentials from financial customers have a higher value than credentials from almost any other sector, according to Akose Labs. (Photo by Leon Neal/Getty Images)

The financial industry has long been a top target for cybercriminals headed to "where the money is’." New research has confirmed that it is also financial and financial technology (fintech) customers’ stolen account credentials that have a higher value than those taken from almost any other site.

According to “The Economics of Account Takeover Attacks,” (ATO) released last week by Arkose Labs, credentials taken from legitimate financial and financial technology account customers have the second largest revenue potential to cyberthieves, after gaming site accounts. The current market price on the dark web combined with the potential revenue garnered for using these credentials for scams for the legitimate bank account for a reseller with a good reputation can net a bad actor as much as $24,000, according to the Arkose Labs findings.

“Financially motivated fraudsters attack fintech companies and banks to earn a profit,” said David Senecal, vice president for architecture and research at Arkose Labs, and author of this research. To launch these account takeover attacks, fraudsters have to invest more and more “time and money into building bots that automate the attack, which eats into their profit,” he said.

“The investment of time and infrastructure an attacker will have to do depends on the defense a fintech or a bank has in place,” Senecal added. “The more sophisticated the defense, the higher the investment and cost for the attacker, the lower the profit will be.”

The report pointed out that as the dark web has boomed as a marketplace for fraudulent goods and services to be bought and sold, cybercriminals have become increasingly savvy about which accounts they target in which industries, and more automated in their attacks (for example, using more botnets), in the interest of getting the most money for their illegal efforts. And the criminal operations with the longest and best standing in this online agora can sell off more of their stolen gaming and financial account credentials for a higher price.

“Criminals attack websites for a profit, and to make a living," the report stated. “As a basic principle, this requires that the income they generate from their attack is at least higher than their cost but also ideally enough to sustain their lifestyle.”

In this respect, ATO attacks have proven to be a very profitable venture for cyber-thieves, so it’s not surprising that more than 11 billion credentials have been stolen over the course of multiple breaches, according to, which tracks this data. Indeed, even large individual ATO attacks can claim millions of credentials in a single swoop, as was the case with last year’s Facebook breach, where an estimated 500 million account credentials were swiped, according to Arkose Labs.

“Like any marketplace or auction site, the reputation of a reseller will directly affect how much of their inventory will be acquired,” the report found. Arkose Labs estimated that sellers new to the business with little or no reputation may sell up to 20% of their “credential” inventories, whereas more experienced resellers with a medium reputation may sell up to 40% of their inventory. Long-term proven resellers with a very good reputation may sell at least 60% of their stolen accounts data.

Hence, one of the interesting dynamics Arkose Labs uncovered is that as these economic factors force “fraudsters to invest more time and money into their ATO attacks, [it is] also making it impossible for rookie fraudsters with no established reputation on the dark web marketplace to initiate their activity against these highly protected fintech and bank sites,” Senecal said. "Also, fraudsters are having to increase the number of fintech and bank targets they must successfully attack to make an income that would support their lifestyle.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.