Graylog GO logo

What is an account takeover?

Whether you’re a Halloween or comic con fan, dressing up as your favorite character is something you’ve probably done at least once in your life. As a kid, you were excited to put on that flimsy Batman mask and cape, thinking you looked just like the hero you saw on the movie screen. As an adult, getting or making the most move-accurate costume may allow other people to think that you are the actor in disguise.

 

An account takeover is the cybercriminal version of getting dressed up as a favorite hero. To best protect your organization from an account takeover attack, you should understand what it is, common attack vectors, and mitigation strategies.

What is account takeover (ATO)?

Account takeovers are cyber attacks where malicious actors exploit personal information to gain unauthorized access to online accounts. The attacks are a form of identity theft used to perpetrate fraud by obtaining user credentials through various techniques including:

  • Phishing emails
  • Social engineering
  • Malware

Once the fraudsters have access to the account, they can modify information in the settings, including:

  • Email addresses
  • Phone numbers
  • Shipping addresses
  • Passwords

What types of organizations are targets of ATO attacks?

Although any organization can be an ATO attack victim, malicious actors typically target the following sectors because they often have high value personally identifiable information (PII):

  • Financial institutions: Financial information, like payment card and account data, to make fraudulent transactions, empty bank accounts, and open lines of credit.
  • Healthcare: Protected health information (PHI), like social security number, health insurance information, and payment card data, to sell on the dark web, perpetrate insurance fraud, or extort organizations and patients
  • Public Sector: Personal information, like tax records, home address, payment information, and social security numbers, to perpetrate fraud or sensitive agency data as part of cyber espionage
  • Education: Student and employee data, like student records or payment card information, to perpetrate fraud or intellectual property and research data for corporate espionage
  • eCommerce: Payment card data, including name, card number, and expiration date, to make fraudulent purchases or engage in identity theft

 

What are some common account takeover attack methods?

Since ATOs focus on gaining unauthorized access to a legitimate account, the attack methods are similar to other credential based attack types:

  • Phishing: Sending fake emails to users with a call to action to trick them into downloading a malicious attachment or click a malicious link
  • Social engineering: Pretending to be a trusted individual, like someone from an organization’s IT department, to trick users into sharing credentials.
  • Credential stuffing: using a list of credentials, typically leaked from data breaches, and trying them against various websites and applications
  • Brute force: Targeting a user login ID and trying various passwords against it
  • Malware: Installing malicious, unauthorized software on user devices that can capture credentials as people type them
  • Web application vulnerabilities: Using application vulnerabilities to gain unauthorized access to cookies or information from a website, like with a cross-site scripting (XSS) or cross-site request forgery (CSRF) attack
  • APIs: Using credential-based attacks against logon APIs
  • Man-in-the-middle (MitM) attacks: Intercepting communications between a device and server to collect or manipulate unencrypted data-in-transit
  • Mobile banking trojans: Using malware specific to mobile devices that look like legitimate bank applications and trick people into entering credentials

 

Mitigating Account Takeover Risk

For businesses, an account takeover can lead to a data breach or compliance violation. Since the malicious actors gain unauthorized access with a legitimate account, they may move throughout the organization’s environment undetected. To mitigate account takeover risk, organizations can implement some best practices.

 

Strong Password Policy

In a brute force attack, malicious actors apply common passwords against the login ID, hoping that one will work. To mitigate these risks, you can implement and enforce a strong password policy that requires:

  • 16 or more characters, like 5-7 random words
  • Mix of letters, numbers, and special characters, like @ ! or &
  • Unique to the particular application or account

Additionally, providing employees with a password manager can help them create and remember strong passwords.

Multi-Factor Authentication (MFA)

A password is a type of authentication, information that a user provides to prove that they are who they say they are. MFA requires users to prove their identity with two or more of the following:

  • Something they know (password)
  • Something they have (token or smartphone)
  • Something they are (biometric like a fingerprint or face ID)

 

User and Entity Behavior Analytics (UEBA)

UEBA uses machine learning (ML) to create a baseline for how people use systems and then detects anomalies to identify potential incidents. With UEBA, an organization can identify a potential account takeover by looking at information like:

  • Logins from an unexpected geographic location
  • Abnormal source or destination IP address
  • Network traffic patterns indicating potential data exfiltration

 

Email Server Firewalls

An email server firewall monitors inbound and outbound traffic. With a critical email security control, you can configure the firewalls to mitigate phishing, spam, and malware risks. With an email firewall, you can:

  • Require connections use Transport Layer Security (TLS)
  • Set controls for SPF and DMARC checks on incoming messages
  • Scan and log inbound SMTP and SMTPS services and content.

 

API Security

API security enables you to mitigate risks arising from malicious actors targeting login APIs in account takeover attacks. Some best practices for API security include:

  • Discover all APIs, including internal, external third-party, managed, unmanaged, and shadow
  • Implement a Web Application Firewall (WAF)
  • Implement inside-the-perimeter API monitoring with runtime scanning, client-side request monitoring, and remediation suggestions
  • Integrate API monitoring into security alerts

 

Graylog Security and API Security: ATO Risk Mitigation Done Right

With Graylog Security, you can use prebuilt content to map security events to MITRE ATT&CK. By combining Sigma rules and MITRE ATT&CK, you can create high-fidelity alerting rules that enable robust threat detection, lightning-fast investigations, and streamlined threat hunting. For example, with Graylog’s security analytics, you can monitor user activity for anomalous behavior indicating a potential security incident.

 

Mapped to security and quality rules, Graylog API Security captures complete request and response detail, creating a readily accessible datastore for attack detection, fast triage, and threat intelligence. With visibility inside the perimeter, organizations can detect attack traffic from valid users before it reaches their applications. Graylog API Security captures details to immediately identify valid traffic from malicious actions, adding active API intelligence to your security stack. Think of it as a “security analyst in-a-box,” automating API security by detecting and alerting on zero-day attacks and threats. Our pre-configured signatures identify common threats and API failures and integrate with communication tools like Slack, Teams, Gchat, JIRA or via webhooks.

 

 

Categories

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.