In an account takeover (ATO) attack, an attacker gains unauthorized access to the credentials for a user’s online account. This access can then be used for identity theft, fraud, and to enable other cyberattacks, such as access to a user’s corporate credentials to login and plant ransomware within the corporate network.

How Account Takeover Works?

Most authentication systems are password-based, and passwords are notoriously insecure. Most people will use the same password for multiple accounts, and this password is typically weak and easily guessable. Even if an organization has policies in place to enforce strong passwords (length, required characters, etc.), employees will often modify passwords in predictable ways.

The exploitation of weak passwords is a common means of account takeover but it is not the only one. Other techniques, such as the use of malicious web pages and social engineering provide the attacker with an account password without the need to guess.

The Types of Account Takeover

Account takeover attacks are a common cybersecurity threat and come in a variety of different forms. Some of the most common types of account takeovers include:

  • Data Breaches: Data breaches are a common source of leaked authentication information. If password hashes are included in a data breach, cybercriminals can use them to test guesses for account passwords.
  • Password Guessing: Weak passwords make it easy for cybercriminals to guess the correct credentials for online accounts. When nearly 10% of exposed passwords are 123456, it doesn’t take long to guess the password to many online accounts.
  • Credential Stuffing: Many people reuse the same password across multiple accounts, a mistake that cybercriminals are happy to take advantage of. When a user’s password is breached for one account, attackers will try the same credentials on other sites to take advantage of the reused password.
  • Malicious Webpages: Phishing pages or compromised legitimate pages can have malicious code designed to harvest and transmit user credentials to the attacker.
  • Social Engineering: Phishing attacks and other social engineering techniques can be used to trick users into giving their credentials to an attacker.

Warning Signs of Account Takeover Attacks

Account takeover attacks can be difficult to detect at first because the user’s credentials may be compromised in an area in which the organization lacks visibility. For example, the exposure of a reused password due to a breach of a different online account is undetectable to an organization.

However, an organization can monitor for warning signs that an employee’s account has been compromised. Some key indicators include:

  • Failed Logins: Account takeover attacks that attempt to guess or stuff credentials on online portals can generate a large number of failed detections. Monitoring for these failed login attempts can help with detecting some types of account takeover threats.
  • User Analytics: Users typically have certain patterns of behavior, logging in at certain times from specific places, etc. Access attempts that break these patterns of behavior can be warning signs of a compromised account.
  • Insecure Configurations: Cybercriminals will commonly disable security controls and set up unusual configurations such as mail filtering and forwarding. These types of changes may indicate that a user account has been compromised.

Malicious Activities: Cybercriminals may use a compromised account to send phishing emails or attempt to exfiltrate sensitive information from an organization’s systems and networks. An account exhibiting these malicious behaviors may have been compromised by an attacker.

How to Protect Against Account Takeover

Account takeover attacks can be carried out in a variety of ways. Companies can protect themselves against these attacks by implementing certain protections, including:

  • Cyber Awareness Training: Many account takeover strategies involve tricking the employee or taking advantage of their security errors. Training employees on cybersecurity best practices can help to prevent these attacks.
  • Anti-Phishing Solutions: Phishing emails are a common method by which cybercriminals steal account passwords. Anti-phishing solutions can help to detect and block phishing content before it reaches the intended target.
  • Password Policies: Many account takeover strategies take advantage of weak and reused passwords. Implementing strong password policies can help to make employee passwords more difficult to guess.
  • Multi-Factor Authentication: Multi-factor authentication (MFA) requires both a password and other factors for user authentication. Implementing MFA throughout the enterprise helps to limit the impact of compromised credentials.

Account Monitoring: A compromised user account can raise a number of red flags. Monitoring for these warning signs enables an organization to detect and remediate these compromised accounts.

Protect Against ATO with Avanan

Account takeover attacks pose a significant risk to enterprise cybersecurity because they provide an attacker with the access and permissions assigned to the legitimate account owner. Once an attacker has access to a user’s account, they can immediately move to consolidate that access and exploit it to cause harm to the organization.

Check Point and Avanan takes a prevention-focused approach to managing account takeover attacks, detecting and blocking unauthorized account access before it poses a risk to the organization. Learn more about managing the risk of account takeover attacks by reading this whitepaper. You’re also welcome to sign up for a free demo to learn how your organization can better protect itself against unauthorized access to corporate resources.