Account Takeover

What is Account Takeover?

An account takeover is a type of cyberattack where attackers attempt to gain unauthorized access to a legitimate email, social, business software, app, or financial account owned by a target individual or organization. Account takeover attacks can have a variety of goals, including:

  • Stealing financial resources,
  • Stealing personally identifying information for use in identity theft and other crimes, 
  • Stealing access credentials for other applications, networks and systems
  • Embarrassing the target individual or organization with inappropriate usage of the stolen account
  • Stealing sensitive data and using it to blackmail or demand random from the account owner

After gaining access to an account, attackers may attempt to lock out the rightful owners by quickly changing the password and authentication settings. Next, the attackers may attempt to authorize fraudulent transactions, steal sensitive information, or target the individual’s contacts and social network with phishing messages and other scams.

How Does Account Takeover Happen?

The average person manages 5.3 financial accounts, 1.8 email accounts, multiple social accounts, and tens or even hundreds of other accounts for accessing various applications and services. Large organizations can easily find themselves managing millions of accounts and managing access credentials for business application access, email, social media, and banking.

Together, all of these accounts create a sizable attack surface that can be targeted by cybercriminals in an account takeover attack.

In order to gain access to an account, attackers need to discover the login credentials (username, password, PIN number, token, etc.). Here’s how this usually happens:

Step One: Target and Research

The account takeover attack starts with cybercriminals choosing an individual or organization to target. Attackers will choose a target with high-value assets or information, then attempt to identify vulnerable email accounts, social profiles, online banking accounts, and other accounts that belong to the target. Once a suitable attack vector has been chosen, it’s time to implement the attack.

Step Two: Implementing the Attack

Cybercriminals can attempt to steal account credentials in several different ways.

In some cases, attackers have tricked the unsuspecting target into clicking on a link or opening an email attachment that installs a malicious script on the target’s computer. This malicious script logs every keystroke made on the target’s machine and sends this information to the attacker, enabling them to easily steal login credentials for applications, online banking, and other systems. 

In other cases, attackers have succeeded by sending a spoofed email with a fake message that creates a false pretext for the target to share their access credentials.

Threat actors will implement several different kinds of cyberattacks to obtain login credentials for a targeted account, including malware and ransomware attacks, phishing and spear phishing, impersonation, and social engineering attacks. Account credentials can even be compromised by a disgruntled employee or an employee who is being threatened or blackmailed by an external threat actor.

Where are Account Takeover Attacks Targeted?

When it comes to executing an account takeover attack, cybercriminals target accounts that will help them gain access to valuable financial and informational resources. These include things like:

  • Financial Accounts - Banking and investment accounts are the ultimate prize for cybercriminals who implement account takeover attacks. Taking over one of these accounts gives the attacker direct access to the target’s financial resources.
  • Email Accounts - Email account takeovers can be just as damaging as financial account takeovers in some cases. Taking over an email account may allow an attacker to gain access to other accounts held by the victim by abusing the password recovery feature. Attackers can also search the victim’s inbox for sensitive data to steal, or target their contact list with impersonation attacks and other scams.
  • Social Media Accounts - Social account takeovers by cybercriminals can be very damaging to an organization’s brand value. After taking over a social media account page, attackers may attempt to scam the target’s followers or post inappropriate content to hurt the brand’s reputation.
  • Internal Collaboration Software Accounts - Cybercriminals can steal access credentials for business collaboration tools like Slack or Asana, enabling them to access private conversations, proprietary business assets and data, and other confidential information about the organization and its activities, employees, and customers.
  • Other Accounts - More than 25% of respondents in a recent survey admitted to using the same password across multiple online logins. Therefore, an attacker who gains access to any of the target’s accounts may well have gotten access to all of them.

How Does ZeroFOX Protect Against Account Takeover Attacks?

To protect against account takeover attacks, organizations need cybersecurity awareness, a strong password hygiene policy, and the right software, tools, and technologies to repel attacks.

ZeroFOX safeguards corporate and executive social media accounts against takeover attacks and hijacking by monitoring for early indicators of account takeover, automatically deleting malicious content posted to social followers, and freezing compromised accounts to prevent further damage to the target’s reputation.

Check out our white paper on Hacking a Corporate Social Media Page to learn more about the growing threat from account takeover attacks and how ZeroFOX can help.