Email Security Intelligence - Is Your Organization Vulnerable to Account Takeover?

Account takeover is an attack that involves threat actors stealing credentials to illegally gain unauthorized access to an account belonging to someone else. The victim is targeted because their account holds funds or access to products, services, or other sellable private information.

This attack is pervasive, difficult to detect, comes with a hefty price tag, and wreaks havoc all while you try to secure your accounts. This article will discuss what an account takeover attack is, signs of vulnerabilities within your business, and how to protect yourself.

What is Account Takeover?

Account takeover (ATO) is an attack that grants access to the attacker to the data and privileges associated with the compromised account. The hacker will typically use social engineering tactics to breach an account before accessing additional accounts, which can be difficult to detect. An example of this would be a phishing exploit that manipulates the target into compromising their login credentials with a fraudulent email, website, or online form. Both private and corporate accounts can be targets of ATO attacks. The motivation is financial as cybercriminals typically look for the quickest and simplest payout. 

ATO attacks can impact all organizations that have a user-facing login, though financial organizations were once the most targeted for fraudulent access to user accounts. ATO is more severe for financial organizations because it can lead directly to theft and compromise financial accounts. In today’s threat landscape, this involves stealing cryptocurrency, selling personal information, or tricking victims into installing ransomware.

The cyber criminal’s goal may also be to gather personally identifiable information (PII), which may be used to commit identity theft. Personal details can be retrieved in spam and phishing campaigns to make communications appear more realistic and to help attackers reach their victims. These attacks generally target the public sector, healthcare, and academic institutions.

Is Your Account Vulnerable?

Threat actors utilize several different strategies to obtain the information they need to perform an account takeover including:

• Phishing: cyber criminals will typically create a false sense of urgency to convince a user to interact with a malicious attachment or link within an email. The user is then redirected to a fake website designed to pass for to their financial institution where their account credentials are stolen.
• Malware: this type of attack is both common and difficult to detect. Malware, or malicious software, is installed on a victim’s computer by an attacker so that they can capture the user’s information through keylogging or redirection to a fraudulent website.
• Man-in-the-Middle Attack: a man-in-the-middle (MITM) attack is a general term for when an attacker positions themself in a conversation between a user and an application to make it appear as if a normal exchange of information. The criminal then uses a rogue access point to intercept the customer’s data to gain access to their account. 
• Credential Stuffing: a type of attack in which the attacker collects stolen account credentials, and then uses them to gain unauthorized access to accounts on other systems through large-scale automated login requests against a web application. This is why it’s so important to have unique passwords for every account you own.
• Botnet Attack: an attack that involves the hacker deploying machines that are infected with malware, enabling hackers to control them and unleash a string of attacks. Sophisticated bots can take over a significant number of accounts before they are identified and can rotate between thousands if not millions of IP addresses.

Impact of an Attack

If threat attackers can successfully execute an account takeover attack, they can execute several different fraudulent activities. Because a fraudster can log in using legitimate credentials can make account takeover fraud particularly challenging to spot. Because of this, it's important for you to be able to recognize suspicious activity that can indicate an account takeover. Potential consequences of a successful attack include:

• Order a new card from your credit card company and use it to make purchases.
• Buy a new smartphone from your mobile phone carrier.
• Access and redeem your account credits or rewards points for their own benefit.
• Make a payment to a fraudulent company from your bank account.
• Open a new bank account in your name.
• Place orders on a shopping or restaurant delivery site.
• Redirect unemployment benefits.
• Access and steal personally identifiable information.
• Change account information, including your phone number, email, home address, or login and passwords.
• Use the information they obtain to access other accounts.
• Sell the account information on the dark web.

Multiple ATO attacks can ultimately lead to customer churn due to the loss of trust, and even permanent damage to your brand. This is only worsened by the potential threat of lateral phishing, which involves attackers using recently hijacked or compromised accounts to send phishing emails to unsuspecting recipients, such as close contacts in the company and partners at external organizations. Because lateral phishing utilizes a legitimate email account and appears to be from a trusted colleague or partner, they tend to have a high success rate.

How to Protect Your Business

Cyber criminals are constantly finding new ways to exploit a business’s vulnerabilities and break into its systems. Some basic ways to spot harmful emails include:

• Check the sender's email address: an official-looking email address doesn’t necessarily mean that it’s official, but a random email address with no relation to the legitimate sender should be treated with caution.
• Look for spelling, punctuation, and grammar mistakes: official emails should be free from common mistakes. Pay particular attention to phrasing in the email, as many phishing scammers know English as a second language.
• Check links before clicking on them: hover over any links to have them displayed in your email client before clicking to verify they are actually going to the genuine website.
• Think about what the email asks for: legitimate organizations will never request your Social Security number or other account details via email.
• Don’t be provoked by a sense of urgency. Take your time. Think before you act.
• Avoid opening attachments in emails: opening an attachment in a phishing email can spread malware, such as ransomware, to activate locking up your computer and encrypting documents to block access. 

The consequences of a successful attack can be extreme. Luckily there are greater methods you can implement to protect your business and customers. For example:

Multi-Factor Authentication

One method for reducing the effectiveness of credential stuffing is to use multi-factor authentication (MFA). MFA is a type of security technology that requires multiple methods of authentication to confirm a user’s identity for logins and other transactions. MFA works by combining the user’s credentials to confirm the user logging into the account is the owner.unusual location.

AI-Based Detection

Artificial Intelligence (AI) based tools for cybersecurity help reduce the risk of a breach and improve security postures. AI and machine learning (ML) learn from the past to identify new and emerging attacks using previous behavior to build profiles on users, assets, and networks, allowing AI to detect and respond to deviations from the norm.

Multi-Layered Email Security Protection

The vast majority of all cyber threats originate with an email. Implementing multi-layered email protection accompanied by expert, ongoing system monitoring, maintenance, and support will secure email by dynamically analyzing behavior, URLs, and files to keep cyberattacks from exploiting vulnerabilities. 

Payoff Is Greater With Financial Credentials

The financial industry has long been a top target for cybercriminals. Research shows that financial and financial technology (fintech) customers’ stolen account credentials are more valuable than those stolen from almost any other site.

According to a study conducted earlier this year, credentials stolen from legitimate financial and fintech accounts have the second largest revenue potential to cyber thieves. The study also found that market prices on the dark web combined with the potential revenue garnered for using these credentials for scams can result in a payout of $24,000.

Threat actors are financially motivated and attack fintech companies and banks to earn a profit. To deploy account takeover attacks, attackers have to invest more time and money into building bots that automate the attack, which eats into their profit.

The same report also stated that as the dark web has grown as a marketplace for fraudulent goods and services, cybercriminals have also grown more sophisticated about which accounts they target in which industries, and more automated in their attacks, in the interest of getting the most money. Criminal operations with the longest and best standing in this online agora can sell off more of their stolen financial account credentials for a higher price.

Keep Learning

Account takeover can be highly damaging to your business so maintaining strong account security and remaining vigilant are both key to preventing a successful attack. Limiting your vulnerabilities is the first step to stopping account takeover fraud before it happens.

• Prepare your business for cyberattacks to make sure employees stay safe online.
• Improve your email security posture by following best practices to protect against attacks and breaches.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Learn more about the consequences of modern phishing attacks in our Phishing eBook.