In January 2022, BlackCat ransomware group launched an attack on the German gas network –Marquard & Bahls– via the takeover of their Microsoft Exchange systems. Exploiting the third-party provider, the cybercriminals gained access to Marquard & Bahls business secrets and intellectual property, as well as potential customer data. Account takeover fraud is one of the biggest threats to organizations, and it’s difficult to fully protect against. In this piece, you’ll learn about how to detect and prevent an attack, as well as block the financial effects of account takeover with Trustpair’s platform. Request a demo to learn more!
What is account takeover?
Account takeover (ATO) happens when cybercriminals gain access to a person’s account credentials. Typically, this data is gained through a social engineering attack like phishing, through a data breach, or hard hack like a malware attack. The victim might not know that their data has been made available to criminals and therefore doesn’t change their password to protect the security of their accounts.
Once gained, these credentials are typically sold online on the black market. The new purchaser can use the individuals’ credentials to impersonate them online, takeover their business accounts and defraud companies as they impersonate victims. They might even change the passwords to lock out the original owner.
In some cases, the fraudster will deploy bots to trial these login details across as many websites as they can – from social media to e-commerce sites, finance accounts and more. In other cases, the information is sold as attached to particular accounts.
What is its impact on business?
Typical account takeover vulnerability affects the customer, but businesses also stand to lose when their accounts are accessed by bad actors.
Malware or ransomware
Malware and ransomware attacks can arise as a result of account takeover. In a real-life case seen at Perception Point, the email account of a known business associate was commanded by fraudsters. The cybercriminals choose business email compromise to scam a partner:
Hi [name],
Here is the form you asked for: [malware link].
Thanks,
[account holder name]
By using a google form link to disguise the malware, they’ll likely overcome any suspicions of the recipient. Moreover, since the original account holder is a trusted business partner, there is really no reason to question the interaction.
If the recipient clicks on the link, they’ll instantly download malware onto their computer, or worse, the entire network. This could enable the perpetrators to lock you out of the system and demand a ransom payment in exchange to unlock everything. Or, it could grant them access to snoop around, view and steal your data, and even send themselves payments from your company accounts.
Lateral attacks
Lateral attacks are secondary attacks on departments, systems and employees other than the primary target. Sometimes attackers will choose to take their chances, and other times, this secondary target was the plan all along.
For example, EA Games became the ultimate victim of an attack in 2021, but they weren’t the first target. Instead, the hackers bought stolen cookies– the small data files that contain website and user info– for a range of other websites.
From there, the perpetrators launched a lateral attack by using social engineering techniques on a member of EA Games’ IT staff. This strategy aimed to convince the IT team to manually approve access when multi-factor authentication failed. It meant the attackers got access to a slack account, where they were able to view the source code for games like FIFA and Battlefield.
Financial loss
When cybercriminals gain access to important accounts, they can make purchases, take out loans, and even transfer funds to themselves. Once a customer realizes, they’ll rely on the institution to refund the money.
From a business perspective, it’s not really fair, but in most cases, businesses choose to reimburse customers to avoid the reputational fallout that could follow. It’s typically impossible for these institutions to recover the funds from fraudsters themselves, leading to significant financial losses.
OCBC – a bank in Singapore – has had to compensate more than 470 customers after a relentless phishing campaign in 2021. Fraudsters targeted the bank’s customers over the holiday period, and were able to take over their accounts and send payments to “mule” bank accounts.
The bank said that as soon as one mule account was discovered and taken down, another would pop up in its place. The campaign caused the bank to pay more than $8.5 million out of goodwill to each of the customers that lost money.
What are the main methods for account takeover?
While account takeover is the ultimate destination, there are many different ways that attackers attempt to reach it, including:
- Data breaches
- Brute force attacks
- Phishing
Data breaches
Data breaches are often the fault of an internal employee or system, rather than a targeted attack from fraudsters. They’re opportunistic ways to take over an account, because fraudsters typically realize there’s been a data breach, and then launch their attack.
An anonymous Human Resources platform suffered from a data breach in 2024, resulting in password changes, payroll fraud, and full on identity theft. It happened because an employee decided to take a shortcut, downloading an illegal version of a paid software to save money.
Unknown to the employee, this software was actually filled with malware designed to steal information through cyber fraud. Once it was on the victim’s computer, it could easily view and steal account credentials by recording keystrokes. After that, the information was sold on the dark web to the highest bidder.
The data breach eventually resulted in cloned accounts, further social engineering attacks and password changes, locking real employees out of their accounts. In the end, the human resources platform faced legal repercussions, because it was linked to a bank that could cause wider financial instability.
Brute force attacks
Brute force attacks are more intentional, because they use bots to target specific accounts. Here, hackers use online programs to trial and error tons of credential combinations. Thanks to the extensive resources needed to perform these types of account takeover attacks, the targets are typically high-value accounts.
LinkedIn faced a brute-force attack in 2012, when attackers leveraged its weak cryptographic controls. Approximately 6.5 million account passwords were leaked, and the accounts taken over, due to this type of automated guess campaign.
Phishing
Phishing (or spear phishing if it’s highly targeted) is a different method of account hijacking derived from social engineering and manipulation. The attackers convince the victim to willingly give their account credentials, usually by pretending to be someone else.
See examples of spear phishing in this article!
Thanks to this methodology, victims typically realize they’ve been conned and the attackers only have a small window of opportunity to take over the account.
Sony fell victim to a spear phishing scam in 2014, when cyber attackers sent deceptive emails to a portion of employees. Once they gave over their login and password credentials, the group leaked five movies to the internet, and threatened the company over the release of a new movie based around North Korea.
How to detect account takeover?
Detecting account takeover is difficult, especially if the fraudsters have bypassed multi-factor authentication. Oftentimes, companies aren’t monitoring the actions of their employees, so wouldn’t be able to flag suspicious behavior.
Unusual account activity
Account activity monitoring uses automated tools to track and measure user behavior.
For example, Trustpair’s vendor data management tool verifies that new bank account details are legitimate when third party vendors change their details. The monitoring tool checks against global databases in real-time, and blocks outgoing transactions to suspicious accounts.
Other information to track and monitor includes:
- Unfamiliar device logins: does the user typically login through their phone, and suddenly is using a laptop?
- Unusual location: does the user reside in the USA, but is logging in from Spain?
- Password reset requests: has the user requested a high number of password resets in a short space of time?
By tracking these factors, you’ll set a ‘normal’ for the users behavior. Then, when opposing behavior is displayed, you’re more likely to detect account takeovers and prevent the consequences before the fraudsters are successful.
Multi-factor authentication
If you notice some unusual account activity, it’s worth testing the user to completely verify their identity as a form of due diligence. Multi-factor authentication, or two-factor authentication (2FA) relies on validating at least two of the following three variables;
- Knowledge: passwords or passcodes
- Inherence: face ID or fingerprint
- Possession: code sent to phone or email verification link
When users can’t pass their 2FA, your business should be raising the red flags. Watch out for manual attempts to bypass this measure, such as emails to your IT, HR and customer departments, as these could be signs of social engineering.
Multi-factor authentication is mandated in certain regulations, like in PSD2 for financial institutions. But even if it’s not enforced in your industry, it is best practice and can help detect and prevent fraudulent activity like phishing, smishing (sms phishing) or vishing (voice phishing).
How to prevent account takeover from happening?
Account takeover protection and prevention is not a one-size fits all approach, especially as fraudsters iterate their strategies with new techniques and technologies. Here are some suggestions:
Strong password policies
Strong password policies make it harder for brute force attacks to be successful. They ensure that users don’t:
- choose passwords that they’ve used before
- use standard words or phrases
- Only use letters (requiring numbers and symbols too)
Strong password policies are not just policies. Companies can use online programs that force customers and employees to opt out of “guessable” passwords. Most of the time, account holders will use a platform that comes up with a random password on their behalf, which is then saved into an online vault.
It helps to protect against account takeover since the users don’t even know their passwords themselves!
Upgraded anti-spam measures
One example of an anti-spam measure is an upgraded email filtering service. This checks the domain name, history of ‘junk’ labeling associated with the sender, and verifies the contents of an email to make sure there’s no malware links.
A DMARC checker is another useful tool. It is an automated program that controls the delivery of emails –identifying threats like spoofing.
By upgrading anti-spam measures, you’re not relying on the manual identification of account takeover by employees or customers, who may miss the signs. Instead, you’re automating the prevention of account takeover fraud by employing tools that work round the clock to protect the accounts.
Employee training against social manipulation
Employee training sessions are a useful way of educating your staff about the risks, signs and consequences of account takeover. With regular training, colleagues will find it easier to become suspicious when things aren’t normal, and know their next steps.
Trustpair’s recent research into the fraud trends of 2024 highlighted that 94% of companies were targeted more than once by cyber fraudsters. So you can bet that at least one of your employees is likely to come up against the threat; and the more training, the better.
Payment fraud prevention software
If all else fails and fraudsters are able to access and take over accounts, you can still protect your finances. Platforms like Trustpair will automatically block outgoing transactions to suspicious accounts where the data given to you by third parties doesn’t match global records.
Our fraud prevention software provides real time validation to eliminate manual errors and ensure you get alerted to anomalies as soon as they occur. This way, even if cybercriminals get into the accounts, your funds are protected.
Get your hands on a Trustpair demo here to learn more.
To conclude: Reviewing account takeover best practices
Account takeover fraud happens when criminals get into a person’s account, typically through data breaches, brute force attacks and social manipulation. Detect account takeover through monitoring account activity and using 2FA. Prevent account takeover through upgraded anti-spam, employee training, and Trustpair’s payment protection platform.