Account takeover (ATO) attacks involve threat actors gaining access to and control over legitimate user accounts. After taking control of a user’s account, the malicious actor then uses the account’s credentials to launch further attacks.
One recent study found that ATO increased by 90 percent from 2020 to 2021. Cybercriminals increasingly target individual personal and business accounts as initial attack vectors because it’s efficient and doesn’t depend on sophisticated techniques.
The success of an account takeover attack starts with credential theft to access and control a user’s account. Obtaining valid credentials or authentication tokens is necessary, and there are several ways of doing this, such as:
24,649,096,027 exposed account user names and passwords were available for purchase on dark web marketplaces according to this 2022 Digital Resources report—that’s a 65% increase from 2020. These credentials usually come from previous data breaches and social engineering campaigns.
Threat actors interested in carrying out account takeover can purchase credentials and attempt to log in to user accounts. Stolen credentials will continue to be available for purchase as long as there are users who aren’t following best practices and using the same password across multiple accounts and services.
Another way to obtain valid credentials is through brute force hacking methods. One common method is to use a password cracking tool to automate password guesses. These tools have been around for a long time—they are even available as a hosted service with tech support and detailed documentation. They work well for credential stuffing attacks because an alarming percentage of people use similarly common passwords. So, an attacker just needs to load these cracking tools with email addresses and common passwords found in data breaches, then using automated bots or botnets, the tool will try every possible combination to log in.
Once all the common passwords have been used, the software will make logical iterations to the common passwords. For instance, in addition to Sunshine252 it will Sunshine253, Sunshine254, and so forth.
Phishing emails can create a convincing pretext for people to voluntarily give up their login credentials for various accounts. Common approaches create a sense of urgency or importance to get the user to click on links to spoofed webpages that look exactly like the login page of genuine services. The target then unknowingly reveals their login credentials by submitting them in the login fields of spoofed URLs.
There are other ways to take control of user accounts that don’t rely on getting usernames and passwords. For example, vulnerable APIs can leak authentication tokens and enable account takeover without the threat actor knowing anything at all about a user’s password. Similar incidents can arise when web apps mistakenly leak session cookies.
Establishing control over a user’s account provides a launchpad for engaging in further malicious activity. Here are three common ways that threat actors abuse their access to accounts they’ve taken over.
Fraud is a very common motive for taking control of accounts. When targeted at users of customer-facing services, such as e-Commerce stores, ATO facilitates committing fraudulent transactions. Threat actors can use their control of accounts to order goods, use loyalty points, or even send money to themselves.
When targeted at users of business applications, ATO can facilitate fraud in a different way. Business email compromise (BEC) is a type of attack that sometimes deploys ATO methods. Threat actors seize control of email accounts belonging to trusted suppliers or internal employees. Fraudulent activities include requesting payments for fake invoices or asking payroll to change the employee’s bank details to a bank account under the malicious actor's control.
Depending on the account that’s taken over, ATO attacks have the potential to result in the exfiltration of sensitive company data. Consider the fact that employee email inboxes often include sensitive reports, discussions, and spreadsheets. Some cloud user accounts provide access to sensitive data assets.
Account takeover is a possible path to installing malware or ransomware within a corporate IT environment. For example, an attacker might upload malware with an enticing filename to a shared cloud storage account for curious employees to open and then infect their machine. Internal phishing emails piggybacking off the trust people have in their colleagues’ email accounts could also spread malicious files through a network.
By taking over social media accounts, outsiders can cause significant reputational damage to brands and individuals. These types of account takeovers aren’t very common, but there have been instances of disgruntled customers and hacktivists wanting to inflict reputational harm, making account takeover protection essential..
Intuit specializes in a range of financial software often sued by small to medium-sized businesses. In June 2021, hackers managed to access sensitive information belonging to users of Intuit’s TurboTax software, which is widely used to prepare income tax returns.
Information stolen during the attacks on TurboTax included names, Social Security numbers, addresses, and financial information. Accounts that were taken over in this incident were identified as reusing credentials from a source outside of Intuit. This was a prime example of how stolen credentials along with password reuse create a perfect storm for account takeover attacks.
With many companies today being software-led, in-house code built by developers is a widespread source of intellectual property. It’s for this reason that a June 2022 flaw in the Community and Enterprise versions of web-based code repository GitLab is worth mentioning.
The vulnerability created an opening for potential account takeovers in certain configurations of single-sign-on. While it’s unclear if any companies became victims of this flaw, the incident demonstrates the breadth of different accounts susceptible to takeover and the diversity of consequences from ATO.
In July 2022, Disneyland suffered somewhat of a PR nightmare when its Instagram accounts were taken over by an outsider who posted offensive content to millions of followers. These types of incidents highlight the importance of using two-factor, or multi-factor (MFA) authentication on social media platforms.