Table of Contents
What is Account Takeover?
Account takeover is a form of identity theft and fraud, where a malicious third party successfully gains access to a user’s account credentials. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization.
While the proliferation of digital communication has made all employees vulnerable to account takeover (a recent survey conducted by Javelin reported over $5.1 billion in losses associated with ATO in 2017 alone) the departments most at risk are IT, human resources, and higher-level management, since they have direct access to sensitive data, financial information, and security infrastructure.
How Does Account Takeover Happen?
The growth of digital communication and data storage means cybercriminals have a large variety of entry points when attempting to gain access to users' personal information. Also, because people are often bad about using robust passwords – A 2017 survey conducted by splashdata showed that the top 5 passwords in use were some version of “123456” or “password” - cybercriminals don’t need highly sensitive information to successfully gain access to an account. They will seek out the simplest entry point, and build the account takeover from there. It can start with any piece of personal data that’s used when logging in, such as an email address, full name, date of birth, or city of residence, all of which can be found with minimal research.
Once a hacker has taken over a users main communication channel, they can change everything the account gives them access to, such as security questions, passwords, encryption settings, usernames, etc. This complete lockout can even make the actual user look suspicious when attempting to resolve the problem since they would no longer know the updated information associated with the account.
Account Takeover Techniques
There are a number of major techniques used by cybercriminals when attempting to gain entry into a secure account:
- Hacking: There are multiple hacking techniques used by ATO attackers – the most popular type is a brute force attack, where the cybercriminal develops automated scripts that churn through password combinations, hoping to generate a successful login key.
- Phishing & Spear Phishing: Cybercriminals will use email correspondence to trick users into to revealing their personal information. While phishing emails can be automated and easier to spot, spear phishing emails are highly targeted and much more deceptive.
- Social Engineering: Account takeover perpetrators will spend time researching across open databases and social media, looking for pertinent information like name, location, phone number, or names of family members – anything that will assist in guessing a password.
- Botnets: Hackers will deploy bots to hack into customers’ accounts – bots can plug in commonly-used passwords and usernames to perform high-volume, rapid attacks and take over the maximum number of accounts, all while staying hidden from immediate view. Because bots deploy from multiple locations, it’s harder to identify malicious IP addresses logging in.
- Credential Stuffing: Credentials stolen from or leaked from various businesses (or purchased from the dark web) are tested against multiple websites, in the hopes of catching a victim who hasn’t realized their login information is compromised.
Main Account Takeover Targets
The main goal for most account takeover attacks is access to sensitive data and financial information. This means it is essential that departments such as IT, HR, and management are aware of the risks associated with their responsibilities.
The IT department handles the technical infrastructure, including security and data management – a compromised IT account could lead to a compromised network or serious theft of data. HR has access to sensitive employee information and is responsible for managing payroll and other financial data, all of which is highly valuable for cybercriminals. Higher-level managers have access to and authority over major parts of an organization – access to their accounts could lead to financial fraud or theft of data.
The Goals of Account Takeover
Account takeover isn’t inherently useful to a cybercriminal – what happens after they gain access is where the serious harm can occur:
- Phishing Campaigns: Some attackers try to use the hacked email account to launch phishing campaigns that will go undetected.
- Credential Sale: Some attackers steal credentials of other employees and sell them in the black market.
- Further Account Takeover: Others use the account to conduct reconnaissance in order to launch personalized attacks.
- Business Email Compromise: Sophisticated attackers will steal the credentials of a key employee, and use them to launch an attack from the real employee's email address with the goal of setting up a fraudulent transaction or transfer of funds.
- Reputation Damage: Account takeover attacks can target multiple end users of an organization, causing long-term damage to the reputation of a business's security and data privacy.
How to Avoid Account Takeover
There are a number of security measures available when protecting against account takeover:
- Security Questions: Users are required to answer pre-determined questions after successfully providing a password. While this is a very basic form of increased security, it increases the likelihood of protecting against a malicious login attempt.
- Two-Factor Authentication (2FA): By connecting a separate account like a phone number or alternate email address, you can limit unrecognized devices or IP addresses from accessing an account, even if they have the password.
- IP Block-listing: Recognizing incoming login attempts occurring from one IP is a great sign that someone is attempting to brute-force guess passwords, or is using lists of stolen credentials to gain entry into accounts. By maintaining a robust IP block list, these attacks can be mitigated.
- Login Attempt Limits: By providing a finite amount of login attempts for secure accounts, cybercriminals can’t spam login attempts, hoping to find the right password. This is especially effective against bot spamming, which can originate from different IP addresses.
- Device Tracking: Tracking and showing login locations can help catch suspicious activity. A login in that keeps occurring 200 miles away from the user can automatically signal to IT that the account should be frozen.
- Employee Education: Employees are often the last line of defense against account takeover – properly educating them on the signs and symptoms of a compromised account is essential. Training tools that showcase account takeover interactions or phishing emails can help them protect their online identity and avoiding social engineering tricks.
- Sandboxing: If accounts have been compromised, it’s important that there is functionality in place to deter further compromise. By sandboxing a suspicious account, all activity can be tracked and stopped if it is, in fact, malicious.
- WAF Configuration: A robust web application firewall can be configured to recognize and mitigate account takeover attempts, through targeted policies that can identify stolen credentials, signs of brute force hacking, or botnet probing.
- AI Detection: Traditional WAF’s aren’t always capable of identifying more sophisticated account takeover attacks – static policies can be tricked into thinking malicious logins attempts are actually legitimate. Recent developments in AI technology have been leveraged to identify complex account takeover attack techniques and can monitor website and web application traffic to detect suspicious activity.