How to Protect Your Organization From Account Takeovers
The year 2021 was a big one for account takeover (ATO) attacks. According to a Javelin strategy and research study, losses from account takeovers increased by 90% in 2021 to $11.4 billion. Typically, the damage comes not so much from the account takeover itself, but from business email compromise (BEC), financial fraud, data theft and malware distribution attacks that account takeovers enable. Threat actors can leverage account takeovers to attack enterprise networks directly or indirectly through the email and corporate accounts of trusted suppliers, partners, vendors or service providers.
How Account Takeovers Happen
There are many ways for threat actors to gain access and control over legitimate user accounts.
Buying stolen credentials from Dark Web marketplaces is probably the easiest way. A report by the Digital Shadows research team found 24,649,096,027 account usernames and passwords exposed by cyberthreat actors in marketplaces this past year, up 65% from 2020. These credentials generally come from previous data breaches and social engineering campaigns. They are available for surprisingly affordable prices from sites that resemble eBay, where independent cybercriminals sell their goods for a small commission.
Brute Force Hacking and Credential Stuffing
Password cracking tools use automated scripts to churn through login and password guesses, trying random characters and common passwords at high speed until they fall on the right ones. These tools have been around for many years and are even available as hosted services with documentation and tech support.
Credential stuffing is a form of password cracking that uses email addresses and passwords from previous data breaches. They also churn through every possible combination and make small logical iterations, such as Fido 123 to Fido 234, until they succeed. They have a pretty good success rate, thanks to poor user hygiene habits, such as reusing passwords for several accounts or creating passwords that are easy to guess. The Digital Shadows report found, for example, that the top 100 most common passwords represented 2.77% of 6.7 billion unique credentials and that the password 123456 represented 0.46% of that pool.
In June 2021, hackers used credential stuffing to access thousands of TurboTax user accounts and tax returns, reaping a feast of social security numbers, addresses, and financial data.
Phishing
Despite extensive publicity and huge investments in user training, phishing continues to succeed, thanks to a small percentage of users who can still be easily fooled. Typically, phishing emails use social engineering to convince users to click on a link to a phony but authentic-looking Web page and enter their login credentials. Spear phishing emails are even harder for victims to spot than automated phishing emails as they are highly targeted and the result of extensive research about a victim company.
Vulnerable APIs can sometimes leak authentication tokens and enable a threat actor to take over an account without knowing anything about a user’s password. Web apps can sometimes leak session cookies as well. Recently, security researchers discovered that 3,207 mobile apps were exposing Twitter API keys to the public, potentially enabling an attacker to take over users’ Twitter accounts.
How Threat Actors use ATOs to Launch Other Attacks
Account takeover is generally the first step in a much more malicious attack. Here are the most common attacks for which ATOs serve as a launchpad:
Financial fraud is the most prevalent, taking over accounts at e-commerce and bank sites and other customer-facing services to engage in fraudulent transactions, such as ordering goods, using loyalty points, or sending the threat actor money.
Business email compromise attacks take over the email accounts of trusted suppliers, company attorneys, or internal employees such as the CEO or CFO. They use them to send unsuspecting employees emails urging them to send payments for fake invoices or change a supplier’s or employees’ bank account details, with the goal of sending money to the attacker’s account.
Data Theft
Employee email account inboxes are often full of reports, discussions, spreadsheets, and other sensitive company information that could be stolen via an ATO and used by competitors or others with bad intent. Attackers can also access sensitive company or user data via hacked cloud user or trusted company supplier, contractor, or partner accounts.
Malware and Ransomware
An attacker can use a stolen account to upload malware with an enticing file name to a shared employee cloud storage account and wait for an unsuspecting employee to open it and infect their laptop. They could also send phishing emails to colleagues convincing them to open a malicious attachment or click on a malicious link.
Reputational Damage
Attackers can take over social media accounts and post offensive content that harms the owner’s reputation. In July 2022, an outsider seeking revenge on employees at the Anaheim amusement park took over Disneyland’s Instagram accounts and posted racist and explicit content.
Stopping ATOs
ATOs are rampant, but they can be stopped through a combination of training, best practices, and readily available tools.
Training employees in proper password hygiene, including not reusing passwords for multiple accounts, employing complex passwords and taking advantage of password managers is the first line of defense against ATOs.
Two-factor and multifactor authentication is essential for preventing attackers from using stolen passwords successfully to take over accounts. Both require attackers to provide additional evidence, such as something they know or have (smartphone, one-time code, biometrics), to verify their identity. It’s very difficult for an attacker to take over multiple forms of authentication successfully.
Email security tools use a combination of methods, including machine learning, to detect and filter out emails containing links to fake login pages.
Bot detection tools can be valuable for preventing ATOs that use bots to churn through login attempts. They typically display Captchas that bots struggle to solve and so prevent further logins. Web application firewalls can also filter out bots and protect accounts in other ways via analysis of Web traffic.
API security tools can prevent attackers from stealing authentication tokens and taking over accounts that expose APIs to client apps.
Account takeovers continue to grow in popularity for attackers because they have been so successful up until now. By taking the measures outlined above, organizations can protect themselves from financial fraud, business email compromise, data theft, and the other costly attacks that ATOs enable.