Account takeover (ATO) attacks involve threat actors gaining access to and control over legitimate user accounts. After taking control of a user’s account, the malicious actor then uses the account’s credentials to launch further attacks.
One recent study found that ATO increased by 90 percent from 2020 to 2021. Cybercriminals increasingly target individual personal and business accounts as initial attack vectors because it’s efficient and doesn’t depend on sophisticated techniques.
How Does Account Takeover Happen?
The success of an account takeover attack starts with credential theft to access and control a user’s account. Obtaining valid credentials or authentication tokens is necessary, and there are several ways of doing this, such as:
Purchasing stolen credentials
24,649,096,027 exposed account user names and passwords were available for purchase on dark web marketplaces according to this 2022 Digital Resources report—that’s a 65% increase from 2020. These credentials usually come from previous data breaches and social engineering campaigns.
Threat actors interested in carrying out account takeover can purchase credentials and attempt to log in to user accounts. Stolen credentials will continue to be available for purchase as long as there are users who aren’t following best practices and using the same password across multiple accounts and services.
Brute force hacking
Another way to obtain valid credentials is through brute force hacking methods. One common method is to use a password cracking tool to automate password guesses. These tools have been around for a long time—they are even available as a hosted service with tech support and detailed documentation. They work well for credential stuffing attacks because an alarming percentage of people use similarly common passwords. So, an attacker just needs to load these cracking tools with email addresses and common passwords found in data breaches, then using automated bots or botnets, the tool will try every possible combination to log in.
Once all the common passwords have been used, the software will make logical iterations to the common passwords. For instance, in addition to Sunshine252 it will Sunshine253, Sunshine254, and so forth.
Phishing emails can create a convincing pretext for people to voluntarily give up their login credentials for various accounts. Common approaches create a sense of urgency or importance to get the user to click on links to spoofed webpages that look exactly like the login page of genuine services. The target then unknowingly reveals their login credentials by submitting them in the login fields of spoofed URLs.
Accessing session cookies or authentication tokens
There are other ways to take control of user accounts that don’t rely on getting usernames and passwords. For example, vulnerable APIs can leak authentication tokens and enable account takeover without the threat actor knowing anything at all about a user’s password. Similar incidents can arise when web apps mistakenly leak session cookies.
How Threat Actors Abuse Account Access
Establishing control over a user’s account provides a launchpad for engaging in further malicious activity. Here are three common ways that threat actors abuse their access to accounts they’ve taken over.
Fraud is a very common motive for taking control of accounts. When targeted at users of customer-facing services, such as e-Commerce stores, ATO facilitates committing fraudulent transactions. Threat actors can use their control of accounts to order goods, use loyalty points, or even send money to themselves.
When targeted at users of business applications, ATO can facilitate fraud in a different way. Business email compromise (BEC) is a type of attack that sometimes deploys ATO methods. Threat actors seize control of email accounts belonging to trusted suppliers or internal employees. Fraudulent activities include requesting payments for fake invoices or asking payroll to change the employee’s bank details to a bank account under the malicious actor's control.
Depending on the account that’s taken over, ATO attacks have the potential to result in the exfiltration of sensitive company data. Consider the fact that employee email inboxes often include sensitive reports, discussions, and spreadsheets. Some cloud user accounts provide access to sensitive data assets.
Account takeover is a possible path to installing malware or ransomware within a corporate IT environment. For example, an attacker might upload malware with an enticing filename to a shared cloud storage account for curious employees to open and then infect their machine. Internal phishing emails piggybacking off the trust people have in their colleagues’ email accounts could also spread malicious files through a network.
By taking over social media accounts, outsiders can cause significant reputational damage to brands and individuals. These types of account takeovers aren’t very common, but there have been instances of disgruntled customers and hacktivists wanting to inflict reputational harm.
Real-World Examples of ATO
Intuit specializes in a range of financial software often sued by small to medium-sized businesses. In June 2021, hackers managed to access sensitive information belonging to users of Intuit’s TurboTax software, which is widely used to prepare income tax returns.
Information stolen during the attacks on TurboTax included names, Social Security numbers, addresses, and financial information. Accounts that were taken over in this incident were identified as reusing credentials from a source outside of Intuit. This was a prime example of how stolen credentials along with password reuse create a perfect storm for account takeover attacks.
With many companies today being software-led, in-house code built by developers is a widespread source of intellectual property. It’s for this reason that a June 2022 flaw in the Community and Enterprise versions of web-based code repository GitLab is worth mentioning.
The vulnerability created an opening for potential account takeovers in certain configurations of single-sign-on. While it’s unclear if any companies became victims of this flaw, the incident demonstrates the breadth of different accounts susceptible to takeover and the diversity of consequences from ATO.
In July 2022, Disneyland suffered somewhat of a PR nightmare when its Instagram accounts were taken over by an outsider who posted offensive content to millions of followers. These types of incidents highlight the importance of using two-factor, or multi-factor (MFA) authentication on social media platforms.
ATO Mitigation Tips
- Email security solutions can prevent phishing emails from resulting in access to accounts. Advanced solutions can use machine learning, computer vision, and other technologies to filter out emails containing links to spoofed login pages.
- Employee training and awareness modules need to educate users effectively and consistently about the importance of best practice password security, including never reusing passwords and the use of complex passwords. Dedicated password managers can assist users in creating different, complex passwords for multiple services without necessarily needing to remember them all.
- Two-factor or multifactor authentication should be mandatory across business services. Both methods of authentication can prevent many ATO attacks by requiring malicious actors to present additional evidence, beyond username-password pairs, to verify who they are. It’s highly unlikely (although not impossible) for outsiders to seize control over a second or third authentication factor (e.g., a smartphone with a one-time code or biometric data).
- API security is increasingly important in preventing threat actors from stealing authentication tokens and taking over accounts at businesses that expose APIs to client apps.
- Bot detection solutions are also worth considering because many brute force login methods deploy armies of bots to scale login attempts. These solutions usually display Captchas that bots struggle to solve and prevent further login attempts. Other solutions in this class could include web application firewalls that filter out bots but also perform other functions based on analyzing web traffic.