Account Takeover

Account takeover (ATO) is a form of identity theft and fraud in which a malicious third party successfully gains access to a user’s account credentials.

By posing as the real user, cybercriminals can change account details, send out phishing emails, steal financial information or sensitive data, or use stolen information to access other accounts within the organization.

While the proliferation of digital communication has made all employees vulnerable to account takeover (a recent study by Javelin reported more than $13 billion in losses associated with ATO in 2023 alone), the departments most at risk are IT, human resources, and higher-level management. These teams have direct access to sensitive data, financial information, and security infrastructure.

Account takeover attacks don’t discriminate against companies by size, industry, or location. Traditionally, attackers have primarily targeted larger organizations, but the increasing ubiquity of digital information and the ease of distributing illegal security technology mean the classic small company “safety net” is no longer a reality. In fact, because smaller companies are sometimes less vigilant about unusual activity at login, account creation, or password reset, they can be more attractive targets than bigger corporations. This means it’s important for all organizations to be proactive to prevent serious account takeover issues.

The growth of digital communication and data storage means cybercriminals have more entry points when attempting to access users' personal information. Also, because people are not always diligent about using robust passwords, cybercriminals don’t need highly sensitive information to successfully gain access to an account. 2023 analysis by NordPass revealed that the top five passwords in use were some combination of sequential numbers (i.e., “123456”) or simply “admin.” 

Attackers will seek out the simplest entry point and build the account takeover from there. It can start with any piece of personal data used when logging in, such as an email address, full name, date of birth, or city of residence, all of which can be found with minimal research.

Once a hacker takes over a user's main communication channel, they can change everything the account gives them access to, such as security questions, passwords, encryption settings, and usernames. This complete lockout can even make the actual user look suspicious when attempting to resolve the problem since they no longer know the updated information associated with the account.

Malware

Hackers use malware for account takeover by deploying various types of malicious software that infiltrate a user's device or network. This malware can take the form of keyloggers that record keystrokes, spyware that monitors user activity, or more complex programs that intercept network traffic. Once installed, the malware collects sensitive information such as login credentials, either by directly capturing them as they're entered, stealing them from stored locations, or intercepting them during transmission.

Phishing

One of the 13 popular email threat types, cybercriminals use phishing correspondence to trick users into revealing their personal information via email. While phishing emails can be automated and easier to spot, spear phishing emails are highly targeted and more deceptive.

Credential stuffing

This technique exploits people’s habit of reusing passwords. Cybercriminals obtain credentials stolen or leaked from various businesses (or purchased from the dark web). They then test those credentials against multiple websites in hopes of finding instances where a victim uses the same login information across multiple accounts.

Cookies

Hackers use cookies for account takeover by exploiting session cookies, which are small pieces of data stored on a user's device to maintain their logged-in state on websites.

When a user logs into a site, the server generates a session cookie that is stored on the user's browser. Hackers can steal these cookies through various methods, such as cross-site scripting (XSS) attacks and injecting malicious scripts into web pages that capture cookies when users visit the page. Another method is through man-in-the-middle (MitM) attacks, which hackers use to intercept and steal cookies during transmission over unsecured networks.

Once the hacker obtains the session cookie, they can impersonate the user by injecting the stolen cookie into their browser, effectively gaining access to the user's account without knowing the actual login credentials. This allows them to perform actions as if they were the legitimate user, leading to potential data theft, financial fraud, and other malicious activities.

Application vulnerabilities

Hackers exploit application vulnerabilities for account takeover by targeting weaknesses in web applications and their underlying systems. Common techniques include SQL injection to bypass authentication and access user data directly from databases, XSS to steal session tokens, and exploitation of broken authentication mechanisms to guess or brute-force passwords. They may also exploit insecure direct object references, security misconfigurations, insufficient input validation, and API vulnerabilities.

These methods allow attackers to bypass normal security measures, steal credentials, manipulate account data, or gain unauthorized access to user accounts. The ultimate goal is to take control of legitimate user accounts, which opens the door to data theft, financial fraud, and other malicious acts.

Botnets

Hackers deploy bots to hack into customers’ accounts. These bots can plug in commonly used passwords and usernames to perform high-volume, rapid attacks and take over the maximum number of accounts — all while staying hidden from immediate view. Because bots deploy from multiple locations, it’s harder to identify malicious IP addresses logging in.

Social engineering

In social engineering attacks, account takeover perpetrators research open databases and social media, looking for pertinent information like name, location, phone number, or names of family members — anything that will assist in guessing a password.

Most account takeover attacks seek access to sensitive data and financial information. Therefore, it is essential that departments such as IT, HR, and management remain aware of the risks associated with their responsibilities.

• The IT department handles the technical infrastructure, including security and data management — a compromised IT account could lead to a compromised network or serious theft of data.
• HR has access to sensitive employee information and is responsible for managing payroll and other financial data, which are highly valuable to cybercriminals.
• Higher-level managers have access to and authority over major parts of an organization — access to their accounts could lead to financial fraud or theft of data.

Popular account takeover targets

Here's a more detailed look at the types of organizations at risk for account takeover:

Small and medium-sized businesses (SMBs)

SMBs can be prime targets for account takeover attacks due to their unique vulnerabilities. These organizations typically have fewer cybersecurity resources and may lack the technical expertise to implement robust security measures, with 51% of small businesses not implementing any cybersecurity measures at all.

They often use multiple online platforms for various business operations, creating a larger attack surface for cybercriminals.

Financial institutions

Banks, credit unions, and other financial institutions are desirable targets for account takeover attacks. They hold vast amounts of their customers' sensitive personal and financial data, making successful breaches extremely lucrative.

Smaller regional banks may be particularly vulnerable if they have outdated security measures. Moreover, the strict regulatory requirements they must adhere to can sometimes create compliance-related vulnerabilities that attackers can exploit since regulatory agencies may need access to data to assess management and protection practices.

E-commerce sites

E-commerce platforms are frequently targeted (accounting for 64% of cyberattacks) due to the valuable customer data they store, including names, addresses, and payment information. These sites process high volumes of transactions, providing attackers with a large pool of potential targets.

Many customers reuse passwords across multiple accounts, increasing the risk of widespread account takeovers if one site is breached. E-commerce sites are particularly vulnerable during peak shopping periods when high traffic volumes can mask malicious activities.

E-commerce businesses are also vulnerable to more traditional retail fraud methods, including unauthorized purchases and gift card fraud through compromised accounts. Customer accounts in this sector are often sold on the dark web, providing cybercriminals access to personal information and stored payment details.

Media and entertainment industry

Attackers often target the media and entertainment sector. For example, 1 in 10 people have had their streaming accounts hacked. Cybercriminals can sell stolen login information, allowing unauthorized access to these services. This not only results in financial losses for the companies but also degrades the user experience for legitimate customers.

Hospitality industry

Hotels, airlines, and other hospitality businesses are frequently targeted for their loyalty program accounts and reward balances. These accounts often contain valuable personal information that attackers can exploit for identity theft or fraud. Additionally, the transient nature of hospitality services can make it challenging to detect and respond to account takeovers quickly.

Sports industry

Sports organizations hold sensitive information such as athlete negotiations and medical records, making them attractive targets. Intellectual property and strategy documents in this industry can be extremely valuable, potentially influencing game outcomes or providing insider information for betting purposes.

Gaming industry

The gaming industry is targeted for in-game payment information and virtual assets, which can have real-world monetary value. Compromised gaming accounts are also often used for phishing scams targeting other players, exploiting the trust within gaming communities.

Technology companies

Tech companies are prime targets due to the valuable intellectual property and user data they hold. Access to their systems can lead to widespread security breaches, potentially affecting millions of users and causing significant reputational damage.

Health care organizations

Health care institutions store highly sensitive medical records and personal information, making them attractive targets for cybercriminals. The strict regulations governing this sector mean that breaches can result in severe financial penalties and loss of patient trust.

Educational institutions

Schools and universities often have large networks with diverse user bases, making them challenging to secure. They may hold valuable research data and student information that can be exploited for various malicious purposes.

Government agencies

Government organizations are targeted for sensitive information and potential espionage opportunities. Breaches in this sector can have significant national security implications and may be motivated by both financial and political factors.

Cryptocurrency exchanges

These platforms hold valuable digital assets that can be quickly and anonymously transferred if compromised. The potential for high financial gains makes them frequent targets of sophisticated cyberattacks.

Account takeover isn’t inherently useful to a cybercriminal. What happens after they gain access is where the serious harm happens. These impacts can affect both businesses and individuals:

• Business
  • Credential sale: Some attackers steal the credentials of employees and sell them on the dark web.
  • Business email compromise: Sophisticated attackers will steal the credentials of key employees and use them to launch an attack from the real employee's email address to set up a fraudulent transaction or transfer of funds.
  • Reputation damage: Account takeover attacks can target multiple end users of an organization, causing long-term damage to the reputation of a business's security and data privacy.
  • Regulatory consequences: Depending on the industry and location, businesses may face fines or penalties for failing to protect customer data adequately.
  • Operational disruptions: Dealing with ATO attacks can disrupt normal business operations as resources are diverted to address the issue.
• Individual
  • Further account takeover: Some attackers use compromised accounts to conduct reconnaissance and launch personalized attacks.
  • Phishing campaigns: Some attackers try to use hacked email accounts to launch phishing campaigns that will go undetected.
  • Financial losses: Victims of account takeover fraud may experience direct financial losses if attackers use their accounts to make unauthorized purchases or transfers.
  • Identity theft: Personal information obtained through fraud from account takeover attacks can be used for broader identity theft, possibly affecting multiple areas of a person’s life.
  • Emotional distress: Dealing with the aftermath of an ATO attack can be stressful and time-consuming for victims.

There are several security measures available when protecting against account takeover:

• Security questions: Users must answer predetermined questions after successfully providing passwords. While this is a fundamental form of increased security, it increases the likelihood of protecting against malicious login attempts.
• Two-factor authentication (2FA): By connecting a separate account, such as a phone number or alternate email address, you can limit unrecognized devices or IP addresses from accessing an account, even if they have the password.
• IP block-listing: Recognizing multiple incoming login attempts from one IP is an excellent sign that someone is attempting to brute-force guess passwords or using lists of stolen credentials to gain entry into accounts. Maintaining a robust IP block list can mitigate these attacks.
• Login attempt limits: By providing a finite number of login attempts for secure accounts, cybercriminals can’t spam login attempts, hoping to find the right password. This is especially effective against bot spamming originating from different IP addresses.
• Device tracking: Tracking and showing login locations can help catch suspicious activity. For example, a login that keeps occurring 200 miles away from the user can automatically signal to IT that they should freeze the account.
• Employee education: Employees are often the last line of defense against account takeover, so properly educating them on the signs and symptoms of a compromised account is essential. Training tools that showcase account takeover interactions or phishing emails can help them protect their online identity and avoid social engineering tricks.
• Sandboxing: If accounts have been compromised, it’s important that functionality exists to deter further compromise. By sandboxing a suspicious account, all activity can be tracked and stopped if it is, in fact, malicious.
• WAF configuration: A robust web application firewall (WAF) can be configured to recognize and mitigate account takeover attempts through targeted policies that can identify stolen credentials, signs of brute-force hacking, or botnet probing.
• AI detection: Traditional WAFs aren’t always capable of identifying more sophisticated account takeover attacks — static policies can be tricked into thinking malicious login attempts are actually legitimate. Recent developments in AI technology have been leveraged to identify complex account takeover attack techniques and can monitor website and web application traffic to detect suspicious activity.
• Password strength: One of the lowest-barrier methods to protect against ATO is creating and implementing a strong password policy. Requiring employees to create strong passwords and routinely reset them keeps login information fresh and keeps cybercriminals guessing.
• API and login protection: Hackers using credential stuffing may launch repeated login attempts with varying names and passwords, trying to guess their way into your accounts. Using a login and API security solution is a good way to identify and block these attacks.

Barracuda Impersonation Protection is a powerful artificial intelligence engine that learns organizations’ unique communications patterns to identify and block real-time account takeover attacks. Its account takeover protection prevents and mitigates damage from account takeover by monitoring email traffic and quickly identifying compromised accounts.

Barracuda Security Awareness Training provides state-of-the-art training and simulation to measure your employees' vulnerability to phishing emails and social engineering attacks that could lead to account takeover. You can also explore deeper levels of protection with Barracuda Email Protection software from Barracuda.

Identifying human risk factors can prepare your enterprise to detect and eliminate targeted attacks launched from compromised accounts. Contact us now if you have questions or want more information about account takeover protection.