How account takeovers work
Account takeover – the criminal use of compromised online accounts – has the potential to be immensely profitable. Hackers steal credentials from individuals (see phishing) or target an entire organization using bots. They then use these stolen credentials to take ownership of the compromised accounts or sell credentials lists to other cybercriminals.
Whoever uses the list can then impersonate users to steal funds or data, install malware or ransomware, or simply cause havoc through malicious acts. This can often happen within hours of the data breach taking place.
In May 2022, the FBI issued an alert that they had “observed incidents of stolen higher education credential information posted on publicly accessible online forums or listed for sale on criminal marketplaces”. |
Originally, botnets were used to deliver massive volumes of spam, and responsible for 90% of the malware spread by email worldwide. Most of the biggest spam-sending botnets have been taken down, with Necrus botnet being the last, defeated by Microsoft in 2020.
Since then, botnets have evolved, and are now being used to dispatch credentials to gain control of legitimate accounts, leading to a rapid escalation in the number and value of ATO attacks taking place each year.
Every organization is at risk
As well as opening the door to fraudulent financial transactions, it can enable cybercriminals to conduct more phishing attacks on more target individuals, departments, and organizations – not just ecommerce and financial businesses, but also healthcare, government agencies, and academic institutions.
Email can be particularly vulnerable to ATO
Impostors know that sending a fraudulent email from a legitimate email account means that traditional anti-phishing software is unlikely to flag their activity as suspicious, and recipients are more likely to trust the sender and to do what they ask.
Once cybercriminals have gained access to an account, they can change anything related to its use, such as security questions, passwords, and encryption settings. This complete takeover makes it impossible for the real owner to gain access and can even cast suspicion on them or cause reputational damage.
Account takeover protection and prevention
The speed and evolution of today’s attacks present significant challenges for all organizations. Unfortunately, some of the most commonly used techniques aren’t enough to stop ATO, but there are some best practices that you should follow to help reduce risk.
- Adopt a strong password policy
Many accounts are easy to crack because of old, weak, or repeated passwords. Use a password manager with strong passwords. - Check for compromised credentials
Regularly check the credentials of new users against a breached credentials database. - Limit the number of login attempts
Locking an account after a set number of login attempts, based on username, device, and IP address, can help prevent account takeover. - Set multi-factor authentication
Use a multi-factor authentication (MFA) method, such as tokens, biometrics, SMS access code or mobile app. - Notify users of account changes
Send your users a notification of any changes to their account, so they can quickly spot if their account has been compromised and altered by someone else.
Introducing the Libraesva Adaptive Trust Engine
People’s level of trust tends to be based on experience, building over time as meaningful interactions take place. Using a similar experience-based approach, Libraesva’s Adaptive Trust Engine uses AI and machine learning to recognize the usual communication patterns of your email users and recipients. It dynamically tracks and monitors transactions to measure trust and behaviors, and uses history to understand what’s normal activity for each account.
The Adaptive Trust Engine is part of Libraesva’s Email Security Gateway solution. It swiftly spots deviations and anomalies to stop first-time senders from delivering malware to accounts within your organization. It also works on outgoing traffic, preventing impostors from sending out spam from a compromised mailbox. From a user perspective, it’s unobtrusive – running in the background and only sending alerts when needed.