What is an Account Takeover (ATO)?
From employee laptops to online banking, most organizations use accounts with a user-facing log in. When bad actors take possession of an account, this is known as ATO. A successful attack is usually achieved through the use of compromised credentials, such as usernames and passwords to these user accounts, which may have been purchased on the cyber underground or coaxed out of an unsuspecting employee in a phishing attack.
Once an attacker takes over, they are able to commit account takeover abuse on whatever the account has access to. For example, an email account may be used to lend phishing campaigns a level of legitimacy or an HR employee’s login account, which provides access to sensitive data, may trigger a serious data breach. Attackers are usually motivated by financial gain and aim to install ransomware or steal data, including further compromised credentials, for sale on the underground. It is vital to protect your organization against ATO.
How Does ATO Happen?
Phishing
By impersonating a legitimate source or using an emotional appeal, a threat actor can trick an employee into revealing their log in details simply by asking. The threat may already be waiting in your inbox!
Brute Force Attacks
Threat actors use tools which automatically generate passwords which the actor then works through in a trial-and-error to attempt to access the user account. Users’ tendency to use simple and recycled passwords renders this method surprisingly effective.
Data Breach
Data breaches are often the result of leaked credentials. When leaked credentials are combined with poor password hygiene, attackers can gain access to multiple accounts. A single entry on a compromised credentials list sold in marketplaces across the underground can mean an account takeover and the potential for multiple cyber attacks, significant loss of sensitive data, and reputational damage.
Application Vulnerabilities
An increasing number of applications are being connected via your organization’s network. Unknown application vulnerabilities or those that have not yet been patched are an open door for cyber attackers to execute an ATO against your organization.
What Can You Do?
Enforcing a password policy or using a password manager that generates unique and complex passwords for each account will reduce the risk of compromised credentials.
By training staff to recognise phishing scams and other social engineering attacks, it will be far harder for threat actors to deceive employees.
Add extra steps to your log in process to limit the usefulness of compromised credentials and, similarly, its value on the cyber underground. By requiring users to enter a dynamic second factor, such as a code generated by an authentication app, you defeat attacks based on stealing credentials.
How Can Intel 471 Help?
We continuously monitor for relevant compromised credentials and alert your organization as soon as they hit the marketplace. The sooner you know about an issue, the sooner you can act to prevent an ATO attack. Our TITAN platform also allows you to differentiate between new compromised credentials versus older releases that have been repackaged in an attempt to sell. This enables you to escalate your incident response to the appropriate level.
Use our coverage of the underground to set watchers to monitor for credentials specific to your organization including employees, VIPs, and customers so you can take action to mitigate against ATO and its associated risks.
Intel 471 are able to locate compromised credentials from sources unique to our research capability including threat actors, machine, and malware sources. This comprehensive oversight allows us to alert you as soon as credentials relevant to you are identified so you can respond as fast as possible.
Use Intel 471’s Attack Surface Protection to map to map all your internet facing assets. By discovering all your assets, you can easily identify unpatched applications to address to prevent attackers utilizing this entry-point to commit an ATO.
Intel 471 is your window to the cyber underground. Our cyber threat intelligence (CTI) augments automatic collection with a ‘boots on the ground’ intelligence team to deliver us a unique position into the inner workings of threat actors and their TTPs. This allows us to support your organization against ATO attacks in the following ways: