What to Do After an Account Takeover

Originally published by Abnormal Security.

Written by Emily Burns.

Account takeovers are a shockingly common and consistently damaging attack that occurs when a malicious actor gains access to an organization’s sensitive data through a compromised account. These attacks are often financially devastating. In fact, IBM reports that the average breach caused by stolen credentials costs organizations upwards of $4.62M.

Here, we'll explore why account takeovers work, provide an example of a real-world attack, and discuss how to detect and remediate account takeovers. With this knowledge, businesses and individuals can better protect themselves from the devastating effects of account takeovers.

Why Account Takeovers Work

Account takeovers can occur in a variety of ways, whether that be through session hijacking due to authentication token theft or forgery, traditional phishing, social engineering, credential stuffing, or even SMS or voice phishing (smishing and vishing, respectively). At their core, however, account takeovers are often enabled by a combination of advanced attack methods and weak security measures.

Once attackers have compromised a user’s email credentials, they can use the account to send malicious messages, steal confidential data, or gain access to other accounts linked to the victim’s credentials through SSO. This means that an attacker can cause significant damage in a short period of time if the right security measures aren’t in place. By understanding why account takeovers work and taking steps to prevent them, businesses and individuals alike can better protect themselves from fraudsters who try to exploit weak security systems for their own gain.

Example of an Account Takeover

Account takeovers can affect even the most secure organizations, often due to the simplest misconfiguration or oversight.

Take Tesla for example, researchers discovered a vulnerability in one of Tesla’s internal applications. The Tesla Retail Tool (TRT) stores sensitive financial and administrative data, and once an employee leaves Tesla, it is assumed that they can no longer access the account as that user’s email is deactivated.

However, researchers found that the deactivated emails of past employees still existed in Tesla’s network. Further, they discovered that a user can use a corporate Tesla email to externally register for access to the TRT, meaning that these non-employee researchers—with nothing more than the dormant email address of a past employee—could register as a TRT user, access the application, and effectively take control of that account.

While the Tesla attack is not entirely centered on email, the moral is that even the most benign bit of data (in this case a corporate email address without a password) can be used to execute an account takeover. And often, this is a lack of security visibility into the behaviors that indicate an account takeover has, in fact, occurred.

An Effective Account Takeover Response

Let’s consider a hypothetical: you’ve discovered a compromised account. You don’t know how long it’s been compromised. You don’t know what that user has accessed. You need to investigate. What do you do?

An effective account takeover response is essential for businesses and individuals to protect themselves from further damage—and assess any damage that has already been incurred. There are several steps that can be taken to ensure an effective response:

• Notify affected users: When a breach has occurred, it’s essential to notify affected users of the attack immediately and provide instructions on how to take action. It’s important to keep these notifications secure and provide clear instructions on what steps they should take next.
• Reset passwords: If any passwords have been compromised, reset them immediately. This will help contain the breach and protect other accounts associated with your user base.
• Monitor accounts: Monitor your user accounts for suspicious activity and be sure to report any unusual behavior immediately. This could include login attempts from unknown locations or large amounts of money being transferred out of accounts without authorization.
• Educate users: Educate all users on best practices for creating secure passwords and protecting personal information, such as not using the same password across multiple sites or writing down passwords in plain sight.
• Monitor network traffic: Finally, monitor your network for any malicious traffic connected with the attack, such as phishing campaigns or malware downloads that could cause further damage if left unchecked.

By following these tactics, businesses can help protect themselves from further damage caused by account takeovers while also ensuring their customer data remains safe from unauthorized access.

Detecting and Blocking Account Takeovers

Ideally, though, in this era of AI-based security—and in the face of a cybersecurity skills gap limiting the time and resources security teams can spare on manual investigation and remediation—the most effective way to combat account takeover via the outlined steps is with a security solution that can automate the detection, the remediation, and provide contextual insights to aide investigation.