Advanced phishing

How account takeover (ATO) attacks happen

by Egress
Published on 22nd Dec 2021

Anyone using the internet or email is a potential target for an account takeover. Sending emails to colleagues or sharing company news on social media can make someone a target for an attack. 

An account takeover involves an unauthorized user taking over someone's email account. Threat actors have already successfully targeted millions of internet users with account takeover attacks to date. 

How do account takeovers take place?

The source of account takeovers is pretty consistent. Account takeovers typically take place in the following four steps: 

Step one: Research of potential targets

In the case of targeted attacks, threat actors usually identify potential targets via social or corporate media. 

Step two: Theft of a user's login credentials

After identifying a target, threat actors use many attack methods to steal login credentials. They can use spear phishing attacks to trick victims into giving up their email credentials directly, or they may use malware containing keyloggers to steal login information and passwords. 

Step three: Account compromise

At this stage, the attacker simply needs to log in. Once they gain access to an email account, scammers can do considerable damage because they're using a legitimate email account. In some cases they’ll sell the account information on the black market. 

Step four: Commit further fraud

When an email account is compromised, attackers can access sensitive information and use the email to sign up for additional services. 

Why account takeover attacks are complex to catch

Without a dedicated solution, it can be challenging to catch account takeover attacks before it's too late. What makes these situations even worse is that phishing emails from legitimate accounts are harder to catch because traditional anti-phishing solutions detect known threats or obvious signs of spoofed email addresses. In this case, legitimate email accounts are more likely to go undetected. 

Still, there are a few markers that operators or well-tuned security solutions can use to identify these attacks in progress:

  1. A high volume of failed logins could signify an attacker trying to brute force their way into an account.
  2. A spike in incident logs or customer support tickets to unlock accounts may signify an organization is a target.
  3. User traffic patterns that don't match established behaviors or seasonality could mean one or more accounts have been breached. 

Unfortunately, the most common type of account breach occurs via phishing and spear phishing. Once the attack progresses past that stage, it's almost impossible to contain the breach and mitigate the potential damage. 

How to stop account takeovers

Because the origin of most account takeovers begins with spear phishing, it's critical to stop the attacks during this stage. Due to their ubiquity, it's also essential to cover brute force and credential stuffing techniques. Here are the best practices for preventing email account takeovers:

Strengthen password requirements

Organizations should use strict password requirements, and individual users should use unique passwords that are difficult to guess. That's important because it's pretty standard for attackers to research information about a user to make it easier to guess their password. Unique, secure passwords also provide considerable protection against brute force techniques. Helpful password conventions include a combination of upper and lowercase letters, characters, and numbers, and avoid using passwords that easily link to you via social media. 

Use multi-factor authentication

Multi-factor authentication is the cybersecurity practice of requiring multiple authentication methods to access an email account. The best approach combines something you know, like a password, with something you physically possess, like a token or biometrics. Multi-factor authentication with token or biometric requirements makes it harder (but still possible) for cybercriminals to compromise accounts. 

Refresh credentials and tokens

A best practice in account security is the requirement for users to refresh their credentials and tokens routinely. That means setting a timeframe for passwords to expire, forcing users to create a unique password. If using multi-factor authentication with a secure token, a standard method leverages certificate revocation, forcing users to routinely validate their credentials against an authorized list of users. 

Implement an anti-phishing solution

Cyber-attacks continue to rise and become more sophisticated, and organizations must use equally sophisticated methods to thwart their efforts. Intelligent anti-phishing solutions go beyond traditional anti-phishing filter-based methods to protect against emerging threats and sophisticated phishing scams. AI and machine learning can detect threats based on message content and prevent attacks that would otherwise go unnoticed. 

Preventing account takeover means staying ahead of cybercriminals

Account takeover attacks target businesses and individuals with devastating financial and personal consequences. As these attacks continue growing more sophisticated, organizations and individuals must keep pace. While account takeovers can occur from various sources, the most typical include targeted phishing attacks. That makes protecting against phishing the foundation of protecting against the costly impacts of account takeovers. Combining the right technologies and sound cybersecurity practices go a long way in stopping these attacks in their tracks. 

Egress Defend uses machine learning and natural language processing to catch the most sophisticated spear phishing attacks. Learn more here or secure your free demo today


How does an account takeover happen?

Account takeovers typically happen from targeted phishing attacks or brute force methods. 

What are account takeover attacks?

Account takeovers occur when an unauthorized user gains access to an account. 

How common is an account takeover? 

Account takeovers are the most likely attack to impact internet users.