Account Takeover: 5 Types of Attacks & 4 Protective Measures
What is Account Takeover Fraud (ATO)?
Account takeover (ATO) is a type of digital identity fraud or theft that allows a malicious actor to gain unauthorized access to the account information of an online user. A successful ATO attack enables the actor to perform malicious activities such as changing the account’s details, installing malicious software (malware), or accessing and stealing financial data like credit card numbers.
This is part of a series of articles about cyber threats.
How Account Takeover Works: 4 Types of ATO
A malicious actor can use various techniques to gain unauthorized access to user accounts, including:
1. Password Spraying
When malicious actors obtain a list of usernames without the passwords for the targeted website, they typically use password spraying. It involves trying a common default password, like “Password1,” against a big pool of usernames. The malicious actor uses bots to systematically and automatically check the password against many usernames until they find a combination that works.
2. Credential Stuffing
When malicious actors have a valid password and username combination for a targeted website, they typically try to scale their attack to take over this user’s accounts on other sites. It involves using automated bots to quickly check the credentials across various sites, like banking, eCommerce, and travel websites. The assumption is that the user reused the same credentials for multiple sites.
Alternatively, the actor might launch a brute force attack that utilizes bots to make multiple login attempts, each with a different password. Brute force attacks are highly successful because many people use simple, easy-to-guess passwords.
Malicious actors can take control of an account by installing malware on a computer or mobile device. It typically involves tricking users into downloading applications from legitimate-looking malicious sources or opening an attachment containing a malicious payload. Malicious actors typically use social engineering techniques like phishing to send malware to users and trick them into performing these actions.
A phishing attack is a communication form that impersonates well-known and trusted brands or individuals. A phishing communication typically arrives as an email, text (SMS), or social media message directed at an unsuspecting user. The goal is to trick users into clicking links that redirect them to malicious websites or opening attachments that install malware.
Phishing communications were easy to spot in the past due to their misspelled words and poor design. However, phishing attacks are becoming increasingly sophisticated, closely imitating legitimate sources using marketing techniques and the visual language of brands.
Learn more in our detailed guide to phishing attacks
5. Man-in-the-Middle (MitM) Attacks
Malicious actors use MitM attacks to position themselves between known organizations, like financial institutions, and their users to covertly intercept, modify, send, and receive communications.
How to Detect Account Takeover
It can be difficult to detect account takeover attacks, especially if the actor has compromised user credentials in a security blind spot. For example, organizations cannot know that a reused password got exposed due to a breach of a different account. However, organizations can look for indicators of compromise.
Here are common account takeover indicators:
Failed logins — An account takeover attack trying to stuff or guess credentials on online sites typically generate many failed detections. Organizations can look for these failed login attempts to detect account takeover threats.
User analytics — Most users work in patterns. For example, they may log in at certain times of the day from specific locations. Organizations can look for access attempts that break normal behavior patterns to locate a compromised account.
Insecure configurations — Most actors disable security controls and attempt to set up unusual configurations like mail forwarding and filtering. These changes can indicate that actors compromised a user account.
Malicious activities — Actors often use a compromised account to send phishing emails or exfiltrate sensitive information from systems and networks. Organizations must monitor for accounts performing these malicious behaviors to identify compromised accounts quickly.
Account Takeover Protection: 4 Defensive Measures
1. Multi-Factor Authentication
Multi-factor authentication (MFA) technology requires users to authenticate through another method besides their password and username. This technology can help protect against account takeover attacks, ensuring that even if actors discover a set of usernames and passwords, they need to use another factor to log in.
Here are common factors:
Something the user knows, such as security questions.
Something the user has, such as a token or a physical object the system can recognize.
Some part of the user, such as a fingerprint, iris scan, or face ID.
Organizations can use single sign-on (SSO) technology to allow users to authenticate once for all applications and systems they need for their job, facilitating a positive user experience while maintaining strong security.
2. Tracking System
Once an account is compromised, organizations must have a measure to block further attacks. It involves using a sandbox to isolate a suspicious account, track the activities performed with this account, determine whether it is truly a malicious actor, and block the attack.
3. Web Application Firewall
To identify and stop account takeover attacks, organizations can configure a web application firewall (WAF). It can use target policies to identify signs of ATO, such as brute force attacks and bad bot activities.
4. AI-based Detection
ATO protection and detection technology powered by artificial intelligence (AI) can help find sophisticated ATO attempts and bot attacks. ATO attacks often use fourth-generation bots that mimic user behaviors, making them harder to isolate. AI-based detection technology can identify these ATO attempts and monitor websites for suspicious behavior.
BlueVoyant monitors threat actor activity to find exposed credentials in real time and take action to prevent them from being used in account takeover attacks for your organization.