What is Account Takeover Fraud (ATO)?

Account takeover (ATO): Account takeover fraud, or account compromise refers to a cyber-criminal gaining control of a legitimate account. This can happen when a threat actor successfully obtains an individual’s login credentials. Account takeover can be detrimental to business operations at any organization because with a legitimate account, attackers can operate covertly, have a stamp of credibility, and authority depending on who’s account is compromised.

‍

There are many ways an attacker can compromise an account. Most of the time the attacker gains access to an account by soliciting or forcefully obtaining account information.

Phishing

The process of sending fraudulent emails, while posing as legitimate sender, to convince people to reveal sensitive information such as passwords, social security numbers, bank account information, and more. 

Spear phishing

Spear phishing is a type of phishing cyber-attack that targets a specific individual or organization rather than a broad audience. This usually involves an attacker conducting a significant amount of research on an organization or individual to make their attack seem more credible by contextualizing their message with relevant information. These attacks usually come in the form of email messages but is more specifically a way to describe a socially engineered phishing attempt that is targeted. 

CEO fraud

This is a form of impersonation where a threat actor will research a CEO at an organization and attempt to communicate with other employees, such as the finance department, and trick them using a falsified version of their credentials. Often urgently requesting the transfer of money. These attacks are specifically focused on financial gain.

Whaling

Whaling is a heavily targeted phishing attack in which an attacker attempts to phish a high ranking official, often chief executives. These social engineering cyber-attacks contain information that is highly personalized to the intended target to encourage them to click a link that will download malware, transfer funds to the attacker, or share details that can facilitate further attacks. The effects of a successful whaling attack can be devastating, including data loss, financial loss, and reputational damage.

Email spam

Email spam includes unwanted or unsolicited emails that arrive in a user’s inbox. Usually, email spam is sent to a large number of recipients. Spam can be sent automatically by a botnet or by human senders.

Malware

Malware is a malicious software designed by a cyber-criminal attempting to infiltrate a device and disrupt a system or steal information. There are many types of malware and each involve a different method of exploitation. However, in most cases the cyber-criminal wants to gain access to information that could harm the user to either financially benefit themselves through the form of a ransom or identity theft.

Business email compromise (BEC)

‍BEC is a type of email cyber-attack where a threat actor attempts to trick someone into sending them money or valuable information by impersonating a valuable or high-ranking individual within a business. In this scenario the goal is to compromise an account so that the attacker can continue to conduct malicious activity through legitimate account credentials.

Brute force attack

‍Brute force is a type of cyber-attack that attempts to guess the correct login information for an account. This is done with an automated software that can guess a variety of combinations until the correct one is reached. This is effective against weak or simple passwords.

Account takeover can be harmful to any organization. To prevent account takeover from happening, set rate limits on login attempts, send alert notifications on changes in account information, and always check for compromised credentials with a breached credentials database. You can also take more proactive measures to ensure account takeover does not happen like fortifying your passwords and purchasing a security solution that offers complete visibility of your digital assets including user accounts.

Monitor account activity

‍Security teams can monitor all accounts active for unusual or suspicious behavior. Suspicious behavior can be anything from a strange login location, unusual purchases or transactions, or varying communication patterns. For example, if someone does not usually talk to the finance department but is now trying to frequently get credit card information, this can be seen as suspicious.

Two factor authentication

‍This is the process by which a user needs to verify that they are logging into their account with multiple devices. For example, a user will have to verify through their mobile phone that they are attempting to login on their desktop device. This will reduce the chances of any account compromise successfully being able to login with just access to one device. 

Strong passwords

‍Having strong passwords will successfully stop most brute force attacks that attempt to compromise accounts and should be a given when it comes to account security. 

Advanced security solutions

‍Advanced security solutions like Darktrace provide organizations with automated detection and response security systems that can detect and alert the security team to any account activity that deviates from a particular user’s normal behavior and isolate any accounts indicative of compromise, neutralizing evolving threats before they spread.

Threat actors targeted a company’s SaaS environment with an attempted account takeover attack. The compromised account attempted a password reset on the employee's Dropbox account and deleted the corresponding password reset email.

Darktrace's anomaly detection identified this abnormal behavior in the SaaS environment by training our AI on the company’s specific business data. Once a suspicious SaaS login was identified, Darktrace neutralized the attack before it escalated.

Read the full blog here: Get The Drop On Phishing Attacks Abusing Dropbox

It is common for account takeover/compromise to start as an email. By using social engineering tactics, threat actors can bypass traditional email security systems and find themselves in an employee’s inbox. A highly targeted attack can identify common communication patterns and build trust between an employee and cyber-criminal, tricking the employee into divulging sensitive account information. 

Organization will find it difficult to identify compromised accounts because the attacker is using legitimate credentials. Without advanced detection systems in place, security teams will have a tough time accounting for all the activity across their networks and identifying if this behavior deviates from the end user's normal activity. 

Once the attacker has taken over the account, they can then continue to operate maliciously, but now with legitimate credentials. While some will opt to ask for money right away, others will plan a larger, wide-spread attack that can cause even more damage to the organization. 

How can organizations identify and protect against account takeover fraud?

Suspend the account: Suspending or isolating the account will stop any further damage and prevent any unauthorized access to sensitive information.

Change the password: Changing the password will override the attacker’s access to the account, only if they were able to access the account with a brute force attempt at guessing the correct account password. If they were able to access the account by different means, such as an exploiting a vulnerability, this might not be a sufficient mitigation tactic on its own.

Notify affected parties: Provide guidance and support for any parties that might be affected by the account takeover. This can include guidance on how to protect their sensitive information.

Advanced security solutions like Darktrace provide organizations with automated detection and response security systems that can autonomously identify and stop potential threats. In instances of account takeover, Darktrace can isolate any suspicious accounts neutralizing evolving threats before they spread.

Darktrace uses Self-Learning AI model to understand each bespoke business from the inside out. That way when activity within the business deviates from ‘normal’ the AI can identify this behavior and alert the security team.

AI can also use real-time data to identify and respond to threats quickly, minimizing the potential damage and saving time for security teams. Darktrace analyzes account activity across the entire digital estate, leveraging data from device and cloud activity to understand every user.

The email landscape is a heavily targeted attack vector facing a multitude of threats. Darktrace’s email security can defend against:

• Account takeover
• Phishing
• Spear phishing
• Supply chain/vendor email compromise
• Data loss
• CEO fraud
• Invoice fraud
• Social engineering
• Extortion
• Ransomware/Malware
• Impersonation & Spoofing

‍

Account Takeover (ATO) attacks are a growing threat to organizations as attackers leverage stolen credentials to gain unauthorized access to systems and data. Detecting these attacks requires a combination of advanced monitoring, context-aware security measures, and the right tools to address the evolving nature of these threats. Here's how security teams can detect ATO attacks and prevent them from causing harm:

1. Monitor authentication patterns

ATO attacks often start with malicious logins using stolen credentials. By continuously monitoring login behaviors and looking for anomalies, such as an unusual IP address, abnormal login times, or multiple failed login attempts, security teams can quickly spot signs of an ATO attack. Advanced identity security solutions can help track these patterns across cloud environments and on-premises systems, offering real-time alerts for suspicious activities.

2. Leverage Multi-Factor Authentication (MFA)

While MFA is fundamental in preventing unauthorized access, it’s essential for detecting ATO attempts post-authentication. Even with MFA in place, attackers can still attempt social engineering or phishing attacks to bypass these defenses. Security teams must implement additional layers, such as continuous user monitoring and behavioral analysis, to spot abnormal actions within an authenticated session.

3. Utilize Cloud Access Security Brokers (CASBs)

CASBs help monitor user access to cloud services and enforce security policies. Although they are valuable for ensuring compliance, they also offer critical visibility into cloud-based ATO attempts. By integrating CASBs with other security solutions, security teams can gain a more holistic view of user activity, identifying threats that span multiple applications and cloud environments.

4. Analyze user behavior

Identity security solutions that offer user behavior analytics can identify unusual patterns of activity, such as access to sensitive data or resources outside of typical user behavior. These tools analyze the context around each login attempt and flag any deviations from normal usage, helping security teams detect ATO attacks that bypass traditional security measures like MFA.

5. Deploy advanced endpoint protection

Sophisticated ATO attacks may involve lateral movement across networks once an attacker has gained access to an account. Endpoint protection tools, combined with network monitoring and intrusion detection systems, can help detect malicious activities that occur after authentication, such as data exfiltration or system manipulation.

6. Integrate identity security solutions

One of the biggest challenges security teams face in detecting ATO attacks is the fragmentation of identity security solutions. Many organizations use Single Sign-On (SSO) or Active Directory (AD) management tools, which are limited in their ability to detect threats across hybrid and multi-cloud environments. By integrating IAM solutions with a broader suite of security technologies, teams can bridge the gaps and gain comprehensive visibility to identify and prevent ATO attacks.

Detecting ATO attacks requires a layered, multi-faceted approach that integrates advanced technologies, behavioral monitoring, and continuous oversight. While traditional security measures, such as MFA, can help prevent unauthorized access, organizations must also address blind spots and integrate tools that provide visibility into post-authentication activity and across all layers of their infrastructure. With a comprehensive approach, security teams can more effectively detect and respond to ATO attacks before they cause significant harm.

Account Takeover (ATO) attacks typically follow a multi-step process where attackers gain unauthorized access to a user’s account, often with the goal of stealing sensitive information, committing fraud, or leveraging the account for further attacks. The most common methods of account takeover include:

1. Credential stuffing

Attackers use stolen usernames and passwords, often acquired from previous data breaches, to gain access to multiple accounts. Given that many people reuse passwords across different sites, attackers automate this process, attempting to breach several accounts in quick succession. If users have weak or reused passwords, this method can be highly effective.

2. Phishing

Phishing is one of the most common techniques used to obtain a victim's login credentials. In this attack, an attacker impersonates a trusted entity (such as a bank, email service, or social media platform) and tricks the victim into revealing their username and password through fake login pages or fraudulent emails. Phishing may also be combined with social engineering tactics to persuade users to click on malicious links or open attachments.

3. Brute force attacks

In a brute force attack, attackers attempt every possible password combination until they find the correct one. While this method can be slow, it is often effective when passwords are weak or simple. Attackers may use automated tools to accelerate the process and break into accounts with weak password policies.

4. Social engineering

Attackers may use social engineering tactics to manipulate individuals into revealing confidential information, such as account credentials or security answers. This could involve impersonating a trusted colleague or using psychological manipulation to exploit a victim's trust.

5. Exploiting weak or stolen credentials

Attackers may exploit weak passwords (e.g., common phrases, predictable patterns) or credentials that were obtained through previous breaches. Once they gain access, they may move laterally within the victim’s account or network to escalate privileges and cause further damage.

6. Man-in-the-middle attacks

In some cases, attackers intercept communications between a user and a service to capture login credentials or session tokens. This can occur through insecure networks (e.g., public Wi-Fi) or vulnerabilities in the service's communication protocols.

The typical method of account takeover involves gaining unauthorized access to a victim's account through a combination of stolen or weak credentials, phishing, social engineering, or exploiting vulnerabilities in security protocols. Preventing ATO requires a multi-layered approach, including strong password policies, multi-factor authentication, and continuous monitoring for suspicious behavior.

Account takeover (ATO) attacks can result in significant damage, including:

• Financial Losses: Attackers may make unauthorized transactions, leading to direct financial loss for both individuals and businesses.
• Data Breaches: Sensitive data, like personal information or financial details, can be exposed, leading to identity theft or its sale on the dark web.
• Reputational Damage: Organizations may lose customer trust, leading to a decline in business and damaged credibility.
• Regulatory Penalties: Non-compliance with data protection laws due to a breach can result in fines and legal consequences.
• Operational Disruption: Attackers may disrupt services, leading to downtime and productivity loss.
• Increased Vulnerabilities: ATOs can provide attackers access to other accounts or systems, leading to further attacks.

‍