Account takeover attacks are a rising threat that both individuals and companies must be prepared to manage.
Earlier this year, Reddit was the victim of an account takeover attack that was perpetrated by a spear-phishing attack. The threat actor sent a tailored message that was highly convincing to a targeted employee. She clicked on a link that led to a website that cloned the company’s intranet gateway and entered her credentials.
Once the hacker had collected her credentials, they were able to take over her account and spend time in the system for a few hours. They accessed internal documents, dashboards, and code.
Business Account Takeover
While account takeover has always been a risk for businesses in the digital era, the pandemic and work-from-home phenomenon have changed the attack surface. Isolated employees are more susceptible to phishing attacks. And infiltrations may be harder to detect when teams are siloed. It’s also harder to ensure that employees are educated on ways to mitigate risk, detect attempted incursions, and report suspicious behaviors.
The best ways to protect your business against account takeover include blocking suspicious IP addresses, mandating password manager usage throughout the organization, and setting up CAPTCHA security to prevent bots from running brute force attacks.
In the Reddit breach, the clever hacker tailored their attack to get around multifactor authentication. So while it’s still advisable to use the protocol, don’t assume that it’s enough to block every incursion.
Luckily, Reddit had one of the most important protections in place, and it’s the one thing that minimized the threat. The victimized employee had been trained to identify and report suspected threats. While she didn’t realize what was happening early enough to completely block the attacker, she soon became suspicious and reached out to IT. Reddit promptly revoked all access to the user’s accounts. And, to date, they have not been able to find evidence that the attacker gained access to user data or production systems.
Personal Account Takeover
A 2021 study by Security.org found that nearly one-quarter of U.S. households had fallen victim to an account takeover attack. More than half of the victims used the same password as the compromised account on multiple accounts. The most common accounts compromised were on social media platforms. The second most common were financial accounts.
Personal account compromise is often perpetrated when criminals buy credentials on the Dark Web. If you’re using the same password on multiple accounts, you’re a great target for access brokers who sell data.
Attackers who don’t use purchase credentials may use brute force or credential stuffing attacks, rolling through many username and password combos until they find one that works. They may also use social engineering tricks to break into accounts or gather credentials through spoofed websites.
Once an account is compromised, the attacker will typically change the password, locking out the rightful owner. Then they are free to gather the personal information they desire, spend your Southwest points on airline tickets, transfer money from your bank accounts, or make purchases under your Amazon profile.
The average value of financial losses from account takeover of bank accounts is nearly $12,000.
The best protection against personal account takeover is using a different password for every account you access online. The best way to achieve this daunting task is through the use of a password manager.
The next best tactic is remaining aware and alert every time you are online. Don’t trust emailed offers that seem too good (or bad) to be true. Don’t click on links from people you don’t know. And if you get an alert from a business or financial institution you do use, go directly to their site to log in and check on the situation (don’t click on the emailed link).
Takeover via IOT
As organizations do a better job of securing remote desktops, VPNs, and other IT credentials, analysts predict that the Internet of Things (IoT) will grow as an initial access point for account takeover attacks. More than one-quarter of devices in every organization are IoT devices, and many of them are vulnerable to attack because of the nature of their design and manufacturing.
IoT devices are difficult for security teams to manage. They were not typically designed with security in mind, so patch management is complicated. IoT devices are usually run with default configurations–nearly every HP Laserjet Enterprise printer is probably using the same hardcoded credentials for remote access they had when they left the factory.
Mitigating the risks of IoT devices requires a proactive approach. IT departments should have a process in place for changing the default configurations on new IoT devices and for applying patches on a regular schedule. Organizations should monitor for new devices on their networks; continuously monitor network traffic; and practice appropriate network segmentation.
Conclusion
The Reddit breach and its not-too-terrible conclusion are proof that human intelligence and awareness must work in concert with technology to prevent troublesome cyberattacks. Multi factor authentication alone will not guard your perimeter. It must be paired with good device management, continuous network monitoring, and constant awareness training of human users.
If you need help protecting your organization from account takeover attacks, call 615-622-4591 or email info@asylas.com. Or complete our contact form.