Has Your Account Been Taken Over?
How it works
An account takeover attack is, as the name suggests, when a threat actor uses stolen credentials to gain access to an account. There is no limit on what the threat actor can do once they have access to an account. These include access to corporate data, theft, ransomware, loyalty points, and the purchase of merchandise using stored credit cards.
These attacks usually begin with a phishing email. Victims are required to log in to their accounts. After entering the information, users are assured that their account is safe. The hacker now has all the information necessary to access the account.
Once they have confirmed that the username/password are valid, the hacker will use that information to apply it to other sites. The chances of hacker accessing additional accounts are high, considering that 72% use the same password on multiple accounts.
Hackers even use stolen username lists to help them. They use a technique known as password spraying to try different passwords for all usernames until they find one that works. An automated bot allows attackers to quickly cycle through thousands upon thousands of usernames. Bots can discover username/password combinations and apply them to high-value websites across the internet.
It is not easy for system administrators to recognize that a user account has already been stolen. Threat actors can access the site using their registered usernames and passwords. There are signs that an ATO has occurred. Continue reading.
Multiple accounts, the same information
Threat actors can take control of an account by changing details to make sure that the original owner does not take it back or block them. This involves changing the account’s email address and phone number.
Threat actors face the same problem as users. They don’t have multiple email addresses or phone numbers, so it would be hard to manage different credentials for every account they take control of. They use the same email address and phone number on all accounts they have taken control of.
System administrators should be alerted if multiple accounts have changed their phone number or email address to the same number. This is an indication that there has been an ATO.
Account Behavioral Changes
Check customer activity to see if there have been any changes in their account behavior. It is worth investigating increased transactions or larger transactions than usual. Transactions that originate from a different location, IP address or device are also worth looking into.
If customer accounts show irregularities, you should review the information. Look out for any changes in shipping addresses or other details that were recently altered. It could be an ATO indicator if the data has been changed.
Profils of Behavioral Characteristics
Threat actors follow a consistent behavior pattern when they take control of an account. They start by changing important account details such as email address and home address. They can log in to their account with a new device within 24 hours of making these changes. They can then place an order at their new address or transfer funds into their new account.
Backend Monitoring
Multiple data points within the network’s backend can indicate ATO activity. Each point may be valid on its own. It points to an ATO attack when it is combined with other indicators.
Hackers use bots to quickly pair hundreds of usernames with passwords in order to get through. This activity is recorded in website analytics. You should watch out for spikes when login attempts fail. This is an indication of an ATO attempt.
After an account is successfully taken over by hackers, its IP address country becomes associated to the account. ATO may indicate accounts with unusually large numbers of IP address countries.
Another indicator of ATO is the device. The system can identify the device if legitimate users have access to their accounts. Device spoofing is a technique used by threat actors to hide their device data. This causes the device to appear as “unknown” on the backend. It indicates that the account has been hacked when it is connected to unknown devices.
Organizational Risk
The damage that can result from compromised credentials and the taking over of employee accounts can be very severe. Threat actors can gain access to internal systems by using employee login credentials.
An attacker could gain access to financial accounts within the company and be able transfer funds to their accounts. An attacker may also have access to sensitive data. The potential damage goes beyond theft.
Cybercriminals have the ability to access internal systems and install malware, encrypt data or conduct a ransomware attacks. These types of attacks can be devastating, and ransom payments that are too high can cause financial ruin or even the closure of a company.
Preventing ATO Losses
Perception Point suggests a multi-tiered approach in order to reduce the risk of ATO attacks.
- Teach consumers how to recognize phishing attempts
- Teach customer service what red flags to watch out for when engaging in customer relations
- Install a security system that can identify ATO indicators
