
Irma Šlekytė
Cybersecurity
An account takeover is just as bad as it sounds — it’s when a cybercriminal takes control of your account for malicious purposes. Since account takeover attacks have become a common cybersecurity threat, it’s best to know how these attacks work so you can protect your business.
An account takeover (ATO) is a type of fraud where an attacker steals a legitimate user’s login credentials to gain unauthorized access to their online account. Once inside, the criminal can exploit the information available for purposes such as impersonating the user, making purchases, accessing sensitive data, and moving laterally within the system.
The Sift Science Digital Trust and Safety Index for Q3 2023 reports that the year 2023 alone saw a 354% increase in account takeover attacks compared to the previous year. Sift also predicted losses related to ATO attacks reaching over $635 billion by the end of 2023.
In 2024, the rate of ATO attacks shows no signs of decreasing. Learning how account takeovers happen will help you understand why they are becoming so frequent.
Account takeovers follow a series of steps that allow attackers to steal your login credentials, gain access to your account, and exploit it for their own benefit. The steps of an account takeover include:
To take over your account, cybercriminals first need access to your login credentials. They might purchase these on the dark web if the information was exposed in a previous data breach. Alternatively, they can use various methods, such as exploiting human error or deploying malware that infects your device to steal your credentials.
Let’s explore the main ATO methods so you can identify potential vulnerabilities and protect your accounts.
Phishing is a type of fraud where cybercriminals send emails or messages that look like they’re from a legitimate service provider, but in reality they direct the person to a fake website where they enter their details. For instance, you might get an email supposedly from your bank, asking you to log in to verify suspicious activity, but the link leads to a fake website that steals your password.
The hard truth is that employees are typically the weakest link in any organization’s cybersecurity. That’s why phishing emails and other social engineering tactics are a primary way for attackers to get legitimate user credentials.
The credential stuffing technique exploits people’s habit of reusing passwords. Attackers use lists of stolen usernames and passwords from previous data breaches to try logging in to other accounts. For example, if you use the same password for your email and social media accounts, and criminals hack your email account, they can use the same login info to get into your social media account.
Malware is all types of malicious software that threat actors may install on your device to record your keystrokes (keyloggers) or steal stored passwords (infostealers). But how do they install it without your knowledge? Often, certain actions you unknowingly take help the criminals infect your system:
Session cookies are small bits of data stored on your computer that keep you logged in to websites without needing to re-enter your password. By stealing these cookies, attackers can engage in session hijacking and act as if they were you, gaining access to your account without logging in again. Stolen session cookies also help attackers to bypass MFA because authentication has already been completed during the session.
Man-in-the-middle attacks happen when cybercriminals intercept communication between you and a website, allowing them to capture your login information as it travels through various servers. If your internet traffic isn’t encrypted, they can view everything you do online, including your usernames and passwords. These man-in-the-middle attacks often occur over home routers or public Wi-Fi networks, where attackers can listen in and steal your unencrypted data.
Brute force attacks involve the use of automated tools to systematically guess your password by trying countless combinations of letters, numbers, and symbols. These tools can quickly test a large number of passwords, and applying current hacking technology, they can crack an 8-character password in an hour or less.
Social engineering attacks involve manipulating people into willingly handing over their login details. In these attacks, criminals pose as trusted entities or use psychological tricks. For example, an attacker may call you pretending to be from your company’s IT department and ask for your login information to “fix” an issue on your account.
Threat actors mostly use SIM swapping to bypass MFA. The attacker calls your carrier, pretending to be you, and convinces a service representative to transfer your phone number to a new SIM card, allowing them to intercept security codes sent to your phone.
For the methods mentioned above to be successful, cyberattackers use additional tools and means for getting their hands on user credentials.
Botnets are networks of infected devices that cybercriminals use to perform large-scale attacks like credential stuffing. They control these devices remotely to try stolen credentials on multiple accounts at once. This way they can try logging in to thousands of accounts at the same time.
Attackers exploit flaws or weaknesses in software to gain unauthorized access to user accounts. For instance, an unpatched bug in an app might allow attackers to bypass security measures and take over legitimate user accounts.
Some apps or devices have built-in, hardcoded passwords that you can’t change, making them easy targets for attackers. Additionally, applications often store passwords in code or configuration files to access online accounts, and if these are exposed or leaked, attackers can use them to take control of systems.
Hardcoded passwords typically get exposed through insecure coding practices, accidental sharing, misconfigured servers, or leaks in publicly accessible repositories and files.
Applications use API (application programming interface) keys and authentication tokens to access accounts and services via an API, which allows different software to communicate with each other. For example, an app might use an API to retrieve data from a cloud service. Attackers may exploit API keys if they steal or discover them through accidental leaks to access sensitive data or an organization’s account.
Data breaches occur when hackers steal large amounts of personal data, including usernames and passwords, which they can later exploit in account takeover attacks. For example, a hacker might use stolen credentials from a breached website to access accounts on other platforms where users have reused the same password.
Even though individuals are at risk of facing an ATO attack, hackers mostly target businesses and organizations.
A successful account takeover attack can cripple a business by impacting its financial stability, operational continuity, and reputation. Once attackers gain access to business accounts, they can view and steal sensitive company data, deploy malware, and even blackmail or coerce the business for ransom. Attackers may deploy ransomware, locking access to critical company data or systems until the company makes the payment.
Sophisticated attackers can also initiate fraudulent transactions, withdraw funds, or trigger unauthorized financial activities using compromised bank, investment, or vendor management accounts. Even worse, they can move laterally through the corporate network, escalating privileges to exploit high-value accounts, such as those of VIPs like the CFO. These accounts often contain highly sensitive information, making them prime targets for blackmail or additional exploitation.
An ATO attack typically leads to severe operational disruptions, financial losses, and regulatory penalties due to the failure to protect customer data. The reputational damage is significant, and the risk of follow-on attacks further compounds the initial damage.
Real-life examples of account takeovers demonstrate just how damaging these attacks can be, especially when targeting high-profile organizations. In 2023, two of Las Vegas’s biggest hotel-casinos, MGM Resorts and Caesars Entertainment, were hit by sophisticated corporate account takeovers.
MGM Resorts suffered huge system outages, with hotel guest check-in disabled and gamblers facing error messages on slot machines. Apparently, hackers found an employee’s information on LinkedIn and impersonated them in a call to MGM’s Okta IT help desk, which freely handed them the credentials.
Vox reported that a group called Scattered Spider was responsible, which it said used ransomware made by ALPHV, or BlackCat, a ransomware-as-a-service operation. This hacker group is known to be especially good at “vishing” (voice phishing), or gaining access to systems through a convincing phone call. MGM expected this attack to cost up to $100 million.
Caesars Entertainment experienced a similar social engineering attack, also on an outsourced IT support vendor. The resulting data breach caused many of its loyalty program members’ Social Security numbers and driver’s license numbers to be stolen, along with other personal data. Caesars reportedly paid roughly $15m of the $30m ransom.
Certain red flags can indicate a potential account takeover. Even if they point to something else, they still serve as a warning to prioritize your cybersecurity immediately.
Yet probably the best way to detect an account takeover attack before it wreaks financial and reputational havoc on your business is to use an account takeover prevention solution, such as NordStellar. Platforms like NordStellar automatically cross-reference credentials found on the deep and dark web with your employee, customer, and partner accounts. This gives your security teams visibility into how threat actors work and what they do with compromised data. Receiving actionable insights into what’s happening with your company’s data, you can take targeted measures to safeguard your accounts before it’s too late.
The quicker your reaction to an ATO attack, the better your chances at minimizing the damage. Once you determine your business was attacked, try to contain the breach as soon as possible. Immediately suspend or lock any affected accounts to prevent further unauthorized access. Then, change passwords, revoke active sessions or tokens, and isolate compromised systems from the network to contain the spread.
Next, assess the scope of the attack by investigating how the attacker gained access, identifying compromised data, reviewing activity logs, and identifying other potentially compromised accounts. Once you’ve done that, notify IT and security teams to begin immediate remediation. You should also inform affected users or customers about the situation and necessary steps they should take.
Now, it’s about time to double down on account security. Enforce password resets for affected users, ensure new passwords are strong, implement MFA, and revoke any compromised access tokens or API keys. It’s also advisable to update security software and continue monitoring systems for signs of additional suspicious activity.
Once you’ve contained the breach, conduct a detailed analysis to understand the attack, its extent, and how to prevent future breaches. Use these insights to update security policies and train employees to recognize and respond to future security threats. To contribute to the fight against cyberattacks, report the incident to relevant authorities and consult legal counsel to understand your obligations or potential liabilities.
ATO attacks are clever and unpredictable, but you have multiple security tools at your disposal to help you with preventing these attacks. So consider implementing the following security measures to better protect your business:
While security solutions aren’t foolproof, and the human factor always plays a role, implementing these measures takes your company’s cybersecurity to the next level, making it nearly impossible for cybercriminals to carry out successful ATO attacks.
Avoid financial losses and protect your business' reputation — contact the NordStellar team. We'll help you identify compromised accounts across the deep and dark web so you can secure them before it's too late.