Attackers no longer “break” into accounts. Instead, they log in using an existing user’s credentials. This account takeover provides access to IT environments where, often hidden by typical enterprise complexities, threat actors can move laterally.
The credentials are often found for sale on the dark web, where Initial Access Brokers sell unauthorized routes into compromised systems. Other entry points include paying existing account owners, brute forcing passwords and socially engineering an employee to expose their credentials.
Why is account takeover a risk?
The average desk worker needs to access 11 applications for their day-to-day tasks, while 5% are using 26 or more. That compares to just six applications accessed per day in 2019.
These employees are more likely to be working remotely, using either company-owned hardware or their own devices. With every new identity needed, the attack surface expands, as a reported 39% reuse existing passwords. With access to every account that uses the same potential login details, credential stuffing then becomes another threat..
Depending on the account breached and level of attack sophistication, the associated permissions can allow movement to go undetected – often for extended periods, with an average 207 days. This mix of privilege and potential for long-term damage is partly why account takeover fraud was one of the most encountered threats reported by US businesses in 2023.
Common account takeover tactics
Account takeover goals are simple: Maintain access, expand reach and locate valuable resources, all while staying undetected. However, the routes are complex and varied.
Phishing
A malicious actor sends an email, sometimes impersonating an entity. This entity can be a bank, a corporate department or a specific person that the recipient trusts or regards as a person of authority.
The email may include an invitation to click a link or open a file that may result in malware being downloaded to the recipient’s machine. Or it can be a message that encourages them to share sensitive information that the malicious actor can use for extortion or login purposes.
Man-in-the-middle
A man-in-the-middle (MITM) attack can also be used to launch session hijacking. Because this can happen in multiple ways, it’s harder to defend against. It can sometimes come from a script attack that just needs the recipient to click a link; other times involves exploiting vulnerable protocols or non-encrypted networks, or even by stealing a valid session token.
MITM just needs to intercept the flow of information between legitimate users and services. While in the middle of traffic, they can gather sensitive data and login credentials and can redirect bank transfers to their own accounts. A common route is setting up a fake WiFi hotspot for unsuspecting users to connect to and leaving the door open to their private systems or banking applications.
Session hijacking
Sessions are created every time a user logs in to a website. Naturally, this means multiple opportunities for cybercriminals to exploit. Especially if the website, application or server has weak spots vulnerable to cross-site scripting, another vector.
The cybercriminal steals the user’s session cookies using malware and can then insert the cookie into their own session and take over the session. This attack vector bypasses authentication completely, including MFA and SSO. What’s more, the busier the network, the more chance of a breach remaining undetected amid usual traffic.
What are some of the real-world consequences of account takeovers?
Consequences vary, depending on the attacker’s goal. They may be motivated by financial reward or some type of extortion to interrupt service or destroy data. Whatever the motivation, the consequences are usually immediate and long-lasting.
Data exfiltration
These days, data is seen as the new currency, so businesses lose their most valuable asset when it’s exfiltrated. Sensitive data and intellectual property may be sold on the dark web or to competitors for market advantage.
Financial loss
Account takeover can result in accounts being emptied. Depending on the industry, there may also be regulatory action to deal with. If the breach involves EU customers, there’s the risk of GDPR, with fines from to 4% of annual turnover up to €20 million. Individual states also have their own civil penalties, with up to $500,000 due in Florida “if the violation continues for more than 180 days.” There may also be a longer-term revenue loss.
Reputational damage
Up to 75% of US consumers said they’d consider walking away from a company that had experienced a cybersecurity issue. Companies have few ways to mitigate this risk. The breach to their organization can either be made public by attackers or expose it themselves when they report it to regulators.
Downtime
Further financial loss comes from the operational fallout. Global 2000 companies lose a reported 9% of annual profits when digital environments fail unexpectedly. Data may be encrypted using ransomware, disks may be wiped or systems shut down. This service disruption costs businesses dearly in terms of output and risk to agreed-upon SLAs. Customer experience is also negatively impacted, with users either unable to log in or suffering delays.
Repeat attacks and malware
Much like a burglar can return to the scene of their crime, attackers may also return to carry out further attacks. They may have left behind backdoors that allow access, such as newly created user accounts, installed Trojans, rootkits and even hardware devices. If they successfully erase their footprints, such as by deleting logs or hiding account activity, organizations may not be aware of the repeated risk.
What are some account takeover prevention and mitigation strategies?
Preventing account takeover means tightening up your architecture so that any account takeover is limited in its potential to cause damage.
MFA
This is an effective way to mitigate many attacks that aim to compromise and use passwords, like brute force attacks, MITM attacks, plus phishing and spear phishing risks. The attacker may know the login password, but if they don’t have a secondary authentication factor, logins can be prevented.
However, if the authentication device is a phone, MFA can be circumvented if there’s a SIM card swap resulting in the target losing their phone number to attackers. To alleviate this, identity can add a layer of defense to identity and access verifications. In these instances, biometrics can be used for the “something you are” variable alongside “something you know” and “something you have.”
Session timeouts and reauthentication
These can be configured with your identity provider. You can set sign-in frequencies over periods of hours or days. Users won’t usually be prompted more often than once every five minutes, partly to avoid impacting productivity, and partly to not “increase the risk of users approving MFA requests they didn’t initiate.”
Cybercriminals will use urgency in their messaging to targets, hoping that users will act and approve a request without thoroughly thinking. That’s where education and training come in.
Education and training
Staff are the first line of defense, yet are also a prime target for social engineering attacks that play on:
- Trust: “Hey, it’s me from a different email address.”
- Urgency: “We need that money transferred now.”
- Respect for authority: “Hi there, can you do a favor for the CEO?”
In other words, attacks like these play on the emotions that make us human. Realistic role-play training is an effective way to respond. For example, sending spear phishing emails to specific employees. These should be chosen based on their authority and potentially advanced or unmonitored privileges.
Monitoring and anomaly detection
Continuously monitoring user activity allows organizations to harness behavioral analytics to detect suspicious behaviors and anomalies.
Maybe a dormant account or entity becomes active. Perhaps an existing user starts making unusual or irregular access requests. Multiple login attempts from the same IP may indicate a botnet attack.
Device recognition
Devices and browsers trying to gain access can be identified. This form of fingerprinting means that if a user’s device appears as “unknown,” access can be refused.
If a user always logins using their desktop, and suddenly starts trying to use a phone, this can also be flagged by fraud detection systems.
Risk-based authentication (RBA)
RBA uses risk to assess a user’s login behavior. For example, using the same device to log in constitutes a lower risk that the login attempt is fraudulent. In contrast, a login from a new device may trigger a request for an extra authentication factor to validate access.
These include OTP codes, biometric identity-based verifications or answering a security question. Activity flagged as high risk, such as a login with a new device in a new location, means a stricter and more comprehensive authentication process.
Account takeover: Prevention, preparation and response
Alongside phishing, MITM and session hacking, IT leaders know that attacks will continue to grow in volume, variety and velocity. Many also know the costs of not having an adequate response strategy – $204,000 spent on breaches each year – especially when experiencing almost one breach every 12 months.
That’s why it’s critical to put the defense mechanisms available in place and to link them to identity management where possible. Most users are used to MFA, so education and training can be more focused on the advanced psychological tactics used by threat actors.
Meanwhile, enterprise architecture can be secured with techniques such as session timeouts, repeated authentication, monitoring and anomaly detection. Combine these with seamless identity management and device recognition tools that measure risk in real-time, and there’s little impact on user productivity. Security is maintained, and account takeover threats can be managed, mitigated and minimized.