How to protect your organization from account takeovers
The year 2021 was a big year for account takeover attacks (ATO). According to a Javelin Strategy and Research study, losses from account takeovers increased 90% in 2021 to $11.4 billion. Typically, the damage comes not so much from the account takeover itself, but from the business email compromise (BEC), financial fraud, data theft, and malware distribution attacks that account takeovers enable. Threat actors can leverage account takeovers to attack corporate networks directly or indirectly through email and corporate accounts of trusted suppliers, partners, vendors or service providers.
How account takeovers happen
There are many ways for threat actors to gain access and control over legitimate user accounts.
Buying stolen credentials from Dark Web marketplaces is probably the easiest way. A report by the Digital Shadows research team found 24,649,096,027 account usernames and passwords exposed by cyber threat actors in marketplaces in the past year, a 65% increase from 2020. These credentials typically come from previous data breaches and social engineering campaigns. They are available for surprisingly reasonable prices from sites similar to eBay, where independent cybercriminals sell their wares for a small commission.
Brute Force Hacking and Credential Stuffing
Password cracking tools use automated scripts to find login and password guesses, trying random characters and common passwords at high speed until they hit on the right ones. These tools have been around for years and are even available as hosted services with documentation and technical support.
Credential stuffing is a form of password cracking that uses email addresses and passwords from previous data breaches. They also go through every possible combination and make little logical iterations, like Fido 123 to Fido 234, until they succeed. They have a pretty good success rate, thanks to poor user hygiene habits, such as reusing passwords for multiple accounts or creating passwords that are easy to guess. For example, the Digital Shadows report found that the 100 most common passwords represented 2.77% of 6.7 billion unique credentials and that the password 123456 represented 0.46% of this group.
In June 2021, hackers used credential stuffing to gain access to thousands of TurboTax user accounts and tax returns, harvesting a feast of social security numbers, addresses and financial data.
Despite extensive publicity and heavy investment in user education, phishing continues to succeed, thanks to a small percentage of users who are still easily duped. Typically, phishing emails use social engineering to convince users to click on a link to a fake but authentic website and enter their login information. Spear phishing emails are even more difficult for victims to detect than automated phishing emails, as they are highly targeted and the result of extensive research on a victim company.
Vulnerable APIs can sometimes leak authentication tokens and enable a threat actor to take over an account without knowing anything about the user’s password. Web apps can also sometimes leak session cookies. Recently, security researchers discovered that 3,207 mobile apps exposed Twitter API keys to the public, potentially allowing an attacker to take over users’ Twitter accounts.
How threat actors use ATOs to launch other attacks
Account takeover is generally the first step in a much more malicious attack. Here are the most common attacks that ATOs act as a launching pad for:
Financial fraud is the most widespread, taking over accounts on e-commerce and banking sites and other customer-facing services to engage in fraudulent transactions, such as ordering goods, using loyalty points or sending the threat actor money.
Business email compromise attacks take over the email accounts of trusted vendors, corporate lawyers, or internal employees such as the CEO or CFO. They use them to send unsuspecting employees emails urging them to send payments for fake invoices or change a supplier’s or employee’s bank account details, with the aim of sending money to the attacker’s account.
Employee email accounts are often full of reports, discussions, spreadsheets and other sensitive company information that can be stolen via an ATO and used by competitors or others with bad intentions. Attackers can also gain access to sensitive company or user data via hacked cloud user or trusted company supplier, contractor or partner accounts.
Malware and ransomware
An attacker could use a stolen account to upload malware with a catchy filename to a shared employee cloud storage account and wait for an unsuspecting employee to open it and infect the laptop. They can also send phishing emails to colleagues to convince them to open a malicious attachment or click on a malicious link.
Attackers can take over social media accounts and post offensive content that damages the owner’s reputation. In July 2022, an outsider seeking revenge against employees at the Anaheim theme park took over Disneyland’s Instagram accounts and posted racist and explicit content.
ATOs are widespread, but they can be stopped through a combination of training, best practices and readily available tools.
Training staff in proper password hygiene, including not reusing passwords for multiple accounts, using complex passwords and taking advantage of password managers is the first line of defense against ATOs.
Two-factor and multi-factor authentication is essential to prevent attackers from using stolen passwords to take over accounts. Both require attackers to provide additional evidence, such as something they know or have (smartphone, one-time code, biometrics), to verify their identity. It is very difficult for an attacker to successfully hijack multiple forms of authentication.
Email security tools use a combination of methods, including machine learning, to detect and filter out emails that contain links to fake login pages.
Bot detection tools can be valuable in preventing ATOs using bots to churn through login attempts. They usually display Captchas that bots struggle to solve and thus prevent further logins. Web application firewalls can also filter out bots and protect accounts in other ways via web traffic analysis.
API security tools can prevent attackers from stealing authentication tokens and taking over accounts that expose APIs to client apps.
Account takeovers continue to grow in popularity for attackers because they have been so successful up until now. By taking the measures outlined above, organizations can protect themselves against financial fraud, compromise of business emails, data theft and other costly attacks that ATOs enable.