What is Account Takeover?

What is account takeover fraud?

Account takeover, account takeover fraud, or account compromise refers to a cyber-criminal gaining control of a legitimate account. This can happen when a threat actor successfully obtains an individual’s login credentials. Account takeover can be detrimental to business operations at any organization because with a legitimate account, attackers can operate covertly, have a stamp of credibility, and authority depending on who’s account is compromised.

Microsoft account login and details

How does account takeover happen?

There are many ways an attacker can compromise an account. Most of the time the attacker gains access to an account by soliciting or forcefully obtaining account information.

Phishing: The process of sending fraudulent emails, while posing as legitimate sender, to convince people to reveal sensitive information such as passwords, social security numbers, bank account information, and more. 

Spear phishing: Spear phishing is a type of phishing cyber-attack that targets a specific individual or organization rather than a broad audience. This usually involves an attacker conducting a significant amount of research on an organization or individual to make their attack seem more credible by contextualizing their message with relevant information. These attacks usually come in the form of email messages but is more specifically a way to describe a socially engineered phishing attempt that is targeted. 

CEO fraud: This is a form of impersonation where a threat actor will research a CEO at an organization and attempt to communicate with other employees, such as the finance department, and trick them using a falsified version of their credentials. Often urgently requesting the transfer of money. These attacks are specifically focused on financial gain.

Whaling: This is a heavily targeted cyber-attack where the attacker attempts impersonate themselves as a high ranking official. While whaling and CEO fraud have strong similarities and are often used interchangeably, whaling is typically used to gain access to networks and information by impersonating high ranking members of an organization to get other employees to solicit information.

Email spam: Email spam includes unwanted or unsolicited emails that arrive in a user’s inbox. Usually, email spam is sent to a large number of recipients. Spam can be sent automatically by a botnet or by human senders.

Malware: Malware is a malicious software designed by a cyber-criminal attempting to infiltrate a device and disrupt a system or steal information. There are many types of malware and each involve a different method of exploitation. However, in most cases the cyber-criminal wants to gain access to information that could harm the user to either financially benefit themselves through the form of a ransom or identity theft.

Business email compromise (BEC): BEC is a type of email cyber-attack where a threat actor attempts to trick someone into sending them money or valuable information by impersonating a valuable or high-ranking individual within a business. In this scenario the goal is to compromise an account so that the attacker can continue to conduct malicious activity through legitimate account credentials.

Brute force attack: Brute force is a type of cyber-attack that attempts to guess the correct login information for an account. This is done with an automated software that can guess a variety of combinations until the correct one is reached. This is effective against weak or simple passwords.

How can organizations identify and protect against account takeover?

Monitor account activity: Security teams can monitor all accounts active for unusual or suspicious behavior. Suspicious behavior can be anything from a strange login location, unusual purchases or transactions, or varying communication patterns. For example, if someone does not usually talk to the finance department but is now trying to frequently get credit card information, this can be seen as suspicious.

Two factor authentication: This is the process by which a user needs to verify that they are logging into their account with multiple devices. For example, a user will have to verify through their mobile phone that they are attempting to login on their desktop device. This will reduce the chances of any account compromise successfully being able to login with just access to one device. 

Strong passwords: Having strong passwords will successfully stop most brute force attacks that attempt to compromise accounts and should be a given when it comes to account security. 

Advanced security solutions: Advanced security solutions like Darktrace provide organizations with automated detection and response security systems that can detect and alert the security team to any account activity that deviates from a particular user’s normal behavior and isolate any accounts indicative of compromise, neutralizing evolving threats before they spread.

A table illustrating the long-term impact of attacks on email security.

What challenges do organization face detecting and preventing account takeover?

It is common for account takeover/compromise to start as an email. By using social engineering tactics, threat actors can bypass traditional email security systems and find themselves in an employee’s inbox. A highly targeted attack can identify common communication patterns and build trust between an employee and cyber-criminal, tricking the employee into divulging sensitive account information. 

Organization will find it difficult to identify compromised accounts because the attacker is using legitimate credentials. Without advanced detection systems in place, security teams will have a tough time accounting for all the activity across their networks and identifying if this behavior deviates from the end user's normal activity. 

Once the attacker has taken over the account, they can then continue to operate maliciously, but now with legitimate credentials. While some will opt to ask for money right away, others will plan a larger, wide-spread attack that can cause even more damage to the organization. 

What should organizations do if they suspect an account takeover has occured?

If an organization suspects that an account has been taken over or compromised by a cyber-criminal, the organization should:

Suspend the account: Suspending or isolating the account will stop any further damage and prevent any unauthorized access to sensitive information.

Change the password: Changing the password will override the attacker’s access to the account, only if they were able to access the account with a brute force attempt at guessing the correct account password. If they were able to access the account by different means, such as an exploiting a vulnerability, this might not be a sufficient mitigation tactic on its own.

Notify affected parties: Provide guidance and support for any parties that might be affected by the account takeover. This can include guidance on how to protect their sensitive information.

Account takeover solutions

Advanced security solutions like Darktrace provide organizations with automated detection and response security systems that can autonomously identify and stop potential threats. In instances of account takeover, Darktrace can isolate any suspicious accounts neutralizing evolving threats before they spread.

Darktrace uses Self-Learning AI model to understand each bespoke business from the inside out. That way when activity within the business deviates from ‘normal’ the AI can identify this behavior and alert the security team.

AI can also use real-time data to identify and respond to threats quickly, minimizing the potential damage and saving time for security teams. Darktrace analyzes account activity across the entire digital estate, leveraging data from device and cloud activity to understand every user.

The email landscape is a heavily targeted attack vector facing a multitude of threats. Darktrace’s email security can defend against:

  • Account takeover
  • Phishing
  • Spear phishing
  • Supply chain/vendor email compromise
  • Data loss
  • CEO fraud
  • Invoice fraud
  • Social engineering
  • Extortion
  • Ransomware/Malware
  • Impersonation & Spoofing

Related glossary terms