What is an account takeover (ATO), and how does it happen?

An account takeover is just as bad as it sounds — it’s when a cybercriminal takes control of your account for malicious purposes. Since account takeover attacks have become a common cybersecurity threat, it’s best to know how these attacks work so you can protect your business.

What is an account takeover (ATO)?

An account takeover (ATO) is a type of fraud where an attacker steals a legitimate user’s login credentials to gain unauthorized access to their online account. Once inside, the criminal can exploit the information available for purposes such as impersonating the user, making purchases, accessing sensitive data, and moving laterally within the system.

The Sift Science Digital Trust and Safety Index for Q3 2023 reports that the year 2023 alone saw a 354% increase in account takeover attacks compared to the previous year. Sift also predicted losses related to ATO attacks reaching over $635 billion by the end of 2023.

In 2024, the rate of ATO attacks shows no signs of decreasing. Learning how account takeovers happen will help you understand why they are becoming so frequent.

How does an account takeover happen?

Account takeovers follow a series of steps that allow attackers to steal your login credentials, gain access to your account, and exploit it for their own benefit. The steps of an account takeover include:

• Credential acquisition. To access your account, attackers first need to steal your username and password. They may do so through a phishing email, through a data breach, or by purchasing stolen credentials on underground markets or the dark web.
• Credential testing. Once the criminals obtain your login information, they use automated tools to test these credentials on multiple sites in hope that you’ve reused the same password across different services.
• Gaining access. When attackers have already acquired your username and password, they may try to get around extra security like multi-factor authentication (MFA) if you’ve enabled it on your account. They may use social engineering tactics, like convincing you or the service provider to bypass MFA, or apply methods like SIM swapping, where they take control of your phone number to intercept MFA codes.
• Exploiting the account. After gaining access to your account, attackers can impersonate you, make fraudulent transactions, or steal sensitive information. If they access your email, they may use it to send phishing emails to your contacts. Or they may make purchases using your bank account if they can log in to it.
• Maintaining access and covering their tracks. Attackers may change your password, set up email forwarding, or even disable security alerts to keep control of your account without you noticing.
• Monetization or lateral movement. Finally, attackers either sell the account information on the dark web for profit or use it to access other related user accounts, for example, to move from your email to your bank account or social media accounts.

What methods do attackers use for account takeover?

To take over your account, cybercriminals first need access to your login credentials. They might purchase these on the dark web if the information was exposed in a previous data breach. Alternatively, they can use various methods, such as exploiting human error or deploying malware that infects your device to steal your credentials.

Let’s explore the main ATO methods so you can identify potential vulnerabilities and protect your accounts.

Phishing

Phishing is a type of fraud where cybercriminals send emails or messages that look like they’re from a legitimate service provider, but in reality they direct the person to a fake website where they enter their details. For instance, you might get an email supposedly from your bank, asking you to log in to verify suspicious activity, but the link leads to a fake website that steals your password.

The hard truth is that employees are typically the weakest link in any organization’s cybersecurity. That’s why phishing emails and other social engineering tactics are a primary way for attackers to get legitimate user credentials.

Credential stuffing

The credential stuffing technique exploits people’s habit of reusing passwords. Attackers use lists of stolen usernames and passwords from previous data breaches to try logging in to other accounts. For example, if you use the same password for your email and social media accounts, and criminals hack your email account, they can use the same login info to get into your social media account.

Malware

Malware is all types of malicious software that threat actors may install on your device to record your keystrokes (keyloggers) or steal stored passwords (infostealers). But how do they install it without your knowledge? Often, certain actions you unknowingly take help the criminals infect your system:

• You download a seemingly harmless file from a phishing email attachment.
• You visit an infected website and download what looks like a useful tool or update.
• You click an unreliable pop-up offering free software or security updates that are actually malware.
• You follow links shared through social media or messaging apps, directing you to malicious downloads.

Stolen session cookies

Session cookies are small bits of data stored on your computer that keep you logged in to websites without needing to re-enter your password. By stealing these cookies, attackers can engage in session hijacking and act as if they were you, gaining access to your account without logging in again. Stolen session cookies also help attackers to bypass MFA because authentication has already been completed during the session.

Man-in-the-middle attacks

Man-in-the-middle attacks happen when cybercriminals intercept communication between you and a website, allowing them to capture your login information as it travels through various servers. If your internet traffic isn’t encrypted, they can view everything you do online, including your usernames and passwords. These man-in-the-middle attacks often occur over home routers or public Wi-Fi networks, where attackers can listen in and steal your unencrypted data.

Brute force attacks

Brute force attacks involve the use of automated tools to systematically guess your password by trying countless combinations of letters, numbers, and symbols. These tools can quickly test a large number of passwords, and applying current hacking technology, they can crack an 8-character password in an hour or less.

Social engineering

Social engineering attacks involve manipulating people into willingly handing over their login details. In these attacks, criminals pose as trusted entities or use psychological tricks. For example, an attacker may call you pretending to be from your company’s IT department and ask for your login information to “fix” an issue on your account.

SIM swapping

Threat actors mostly use SIM swapping to bypass MFA. The attacker calls your carrier, pretending to be you, and convinces a service representative to transfer your phone number to a new SIM card, allowing them to intercept security codes sent to your phone.

Additional tools

For the methods mentioned above to be successful, cyberattackers use additional tools and means for getting their hands on user credentials.

Botnets

Botnets are networks of infected devices that cybercriminals use to perform large-scale attacks like credential stuffing. They control these devices remotely to try stolen credentials on multiple accounts at once. This way they can try logging in to thousands of accounts at the same time.

Application vulnerabilities

Attackers exploit flaws or weaknesses in software to gain unauthorized access to user accounts. For instance, an unpatched bug in an app might allow attackers to bypass security measures and take over legitimate user accounts.

Hardcoded passwords

Some apps or devices have built-in, hardcoded passwords that you can’t change, making them easy targets for attackers. Additionally, applications often store passwords in code or configuration files to access online accounts, and if these are exposed or leaked, attackers can use them to take control of systems.

Hardcoded passwords typically get exposed through insecure coding practices, accidental sharing, misconfigured servers, or leaks in publicly accessible repositories and files.

Compromised API keys

Applications use API (application programming interface) keys and authentication tokens to access accounts and services via an API, which allows different software to communicate with each other. For example, an app might use an API to retrieve data from a cloud service. Attackers may exploit API keys if they steal or discover them through accidental leaks to access sensitive data or an organization’s account.

Data breaches

Data breaches occur when hackers steal large amounts of personal data, including usernames and passwords, which they can later exploit in account takeover attacks. For example, a hacker might use stolen credentials from a breached website to access accounts on other platforms where users have reused the same password.

Which types of organizations do account takeover attacks target?

Even though individuals are at risk of facing an ATO attack, hackers mostly target businesses and organizations.

• Small and medium-sized businesses (SMBs). SMBs are often prime targets for account takeover attacks because they typically have fewer cybersecurity resources and expertise.
• Financial institutions. Banks, credit unions, and other financial institutions hold large amounts of sensitive customer information, making them attractive targets for account takeovers. Smaller banks, especially those with outdated security systems, are particularly vulnerable.
• Technology companies. Tech firms are high-value targets due to the intellectual property and user data they handle.
• Critical infrastructure. Industries such as energy, transportation, and water supply are vital for the functioning of a country. Unfortunately, they often find themselves at the receiving end of ATO attacks. Criminals target these sectors to disrupt services, cause widespread damage, or hold operations hostage for ransom.
• Healthcare organizations. Healthcare providers store highly sensitive personal and medical data, making them especially attractive to attackers.
• Government agencies. Government organizations store sensitive information that attackers may target for espionage or financial gain. Breaches in this sector can have serious national security implications, and attacks are often motivated by both political and financial interests.
• E-commerce platforms. Online retail sites are at a high risk of facing an account takeover attack because they store valuable customer data such as names, addresses, and payment information. With many users reusing passwords across different sites, a data breach on one platform can lead to widespread account takeovers. Attackers often take advantage of peak shopping periods when high traffic makes it harder to detect malicious activity.
• Media and entertainment services. Attackers prey on streaming services and other media platforms. They can sell stolen login information, which allows unauthorized access to these services.
• The hospitality industry. Hotels, airlines, and other travel-related businesses are attractive to attackers because of their loyalty programs and the personal information stored in customer accounts.
• Sports organizations. Attackers target sports organizations for sensitive information like athlete contracts, medical records, and intellectual property. This data can be highly valuable and exploited for betting purposes.
• Gaming industry. Criminals often target gaming platforms due to the in-game purchases and virtual assets stored in user accounts. These assets can hold real-world value as well. Besides, criminals may use compromised accounts for phishing scams within gaming communities.
• Cryptocurrency exchanges. Cryptocurrency platforms are frequent targets due to the high-value digital assets they store, which attackers can quickly transfer and not even bother covering their tracks, because crypto transfers are difficult to trace.

What are the consequences of an account takeover for a business?

A successful account takeover attack can cripple a business by impacting its financial stability, operational continuity, and reputation. Once attackers gain access to business accounts, they can view and steal sensitive company data, deploy malware, and even blackmail or coerce the business for ransom. Attackers may deploy ransomware, locking access to critical company data or systems until the company makes the payment.

Sophisticated attackers can also initiate fraudulent transactions, withdraw funds, or trigger unauthorized financial activities using compromised bank, investment, or vendor management accounts. Even worse, they can move laterally through the corporate network, escalating privileges to exploit high-value accounts, such as those of VIPs like the CFO. These accounts often contain highly sensitive information, making them prime targets for blackmail or additional exploitation.

An ATO attack typically leads to severe operational disruptions, financial losses, and regulatory penalties due to the failure to protect customer data. The reputational damage is significant, and the risk of follow-on attacks further compounds the initial damage.

What are some real-life examples of account takeovers?

Real-life examples of account takeovers demonstrate just how damaging these attacks can be, especially when targeting high-profile organizations. In 2023, two of Las Vegas’s biggest hotel-casinos, MGM Resorts and Caesars Entertainment, were hit by sophisticated corporate account takeovers.

MGM Resorts suffered huge system outages, with hotel guest check-in disabled and gamblers facing error messages on slot machines. Apparently, hackers found an employee’s information on LinkedIn and impersonated them in a call to MGM’s Okta IT help desk, which freely handed them the credentials.

Vox reported that a group called Scattered Spider was responsible, which it said used ransomware made by ALPHV, or BlackCat, a ransomware-as-a-service operation. This hacker group is known to be especially good at “vishing” (voice phishing), or gaining access to systems through a convincing phone call. MGM expected this attack to cost up to $100 million.

Caesars Entertainment experienced a similar social engineering attack, also on an outsourced IT support vendor. The resulting data breach caused many of its loyalty program members’ Social Security numbers and driver’s license numbers to be stolen, along with other personal data. Caesars reportedly paid roughly $15m of the $30m ransom.

How can you detect an account takeover attack?

Certain red flags can indicate a potential account takeover. Even if they point to something else, they still serve as a warning to prioritize your cybersecurity immediately.

• Unusual account activity, such as changes to account settings, personal information, or security settings that you did not make.
• Unauthorized transactions. Unexpected charges, withdrawals, or purchases in your account.
• Login attempts from unknown locations or devices. Receiving alerts about logins from unfamiliar IP addresses or devices, especially from different geographic locations.
• Finding yourself locked out of your account. Being unable to access your account due to password changes or security question modifications you didn’t perform.
• Receiving password reset emails you didn’t request. Multiple emails for password resets or account recovery that you did not initiate.

Yet probably the best way to detect an account takeover attack before it wreaks financial and reputational havoc on your business is to use an account takeover prevention solution, such as NordStellar. Platforms like NordStellar automatically cross-reference credentials found on the deep and dark web with your employee, customer, and partner accounts. This gives your security teams visibility into how threat actors work and what they do with compromised data. Receiving actionable insights into what’s happening with your company’s data, you can take targeted measures to safeguard your accounts before it’s too late.

What to do if your business has become a victim of an account takeover

The quicker your reaction to an ATO attack, the better your chances at minimizing the damage. Once you determine your business was attacked, try to contain the breach as soon as possible. Immediately suspend or lock any affected accounts to prevent further unauthorized access. Then, change passwords, revoke active sessions or tokens, and isolate compromised systems from the network to contain the spread.

Next, assess the scope of the attack by investigating how the attacker gained access, identifying compromised data, reviewing activity logs, and identifying other potentially compromised accounts. Once you’ve done that, notify IT and security teams to begin immediate remediation. You should also inform affected users or customers about the situation and necessary steps they should take.

Now, it’s about time to double down on account security. Enforce password resets for affected users, ensure new passwords are strong, implement MFA, and revoke any compromised access tokens or API keys. It’s also advisable to update security software and continue monitoring systems for signs of additional suspicious activity.

Once you’ve contained the breach, conduct a detailed analysis to understand the attack, its extent, and how to prevent future breaches. Use these insights to update security policies and train employees to recognize and respond to future security threats. To contribute to the fight against cyberattacks, report the incident to relevant authorities and consult legal counsel to understand your obligations or potential liabilities.

How can you protect your business from account takeovers?

ATO attacks are clever and unpredictable, but you have multiple security tools at your disposal to help you with preventing these attacks. So consider implementing the following security measures to better protect your business:

• Enable multi-factor authentication for all accounts to add an extra layer of security.
• Use strong, unique passwords and encourage your employees to do the same. Encourage them to never reuse passwords.
• Use password managers to store credentials securely and generate strong passwords.
• Regularly change your passwords and set policies that prompt regular password updates.
• Use security questions. Add a layer of security by requiring users to answer predetermined questions after entering their passwords.
• IP block listing. Monitor for repeated login attempts from a single IP, which could indicate brute-force attacks, and block suspicious IPs to prevent unauthorized access.
• Limit login attempts. Limit the number of login attempts to deter attackers from spamming credentials, especially bots using stolen data from multiple IPs.
• Apply the sandboxing technique. Isolate suspicious accounts to monitor and limit their activity, preventing further damage if they are compromised.
• Limit access privileges by applying the principle of least privilege, ensuring employees only have access to systems and data necessary for their roles.
• Use antivirus, anti-malware, encryption, and endpoint detection software to protect devices from threats that could lead to account compromise.
• Use threat exposure management solutions like NordStellar to ensure accounts are used only by the real owners.
• Raise employees' awareness about phishing risks and train them to recognize other social engineering tactics that could compromise their accounts.
• Monitor for suspicious activity by checking account activity logs for unusual login attempts or other suspicious behavior.
• Regularly update software and systems, including operating systems and applications, with the latest security patches.
• Conduct security audits and penetration testing to see if your systems have vulnerabilities so that you could address potential security gaps before attackers exploit them.

While security solutions aren’t foolproof, and the human factor always plays a role, implementing these measures takes your company’s cybersecurity to the next level, making it nearly impossible for cybercriminals to carry out successful ATO attacks.