Stopping Account Takeover Attacks

How to stop account takeover attacks before they start

Use comprehensive detection and alerting to stop the bad guys before they use your organization’s credentials against you. It’s probably not hyperbole to say that on the day after the lock was invented, someone figured out how to pick it. And so it goes to this day. The only difference is many of today’s locks are digital—taking the form of application sign-in pages. And the digital keys to unlocking them are usernames and passwords, a.k.a., credentials. According to the Verizon 2020 Data Breach Investigations Report, 80% of all successful hacks today rely on either stolen or lost credentials or using brute force methods, such as credential stuffing or credential cracking, to gain access to someone’s accounts. Why? Because these methods work.  “Criminals are clearly in love with credentials, and why not since they make their jobs much easier?,” the report said. ” …it is apparent that use of credentials has been on a meteoric rise.” Credential stuffing is where a hacker inserts (usually using bots) known usernames and passwords into the login page of a targeted application, service, platform, or web service until they get a hit. This usually isn’t too hard since the most common password today is still 123456. (In case you were wondering, the second is “qwerty” and third is, yep, you guessed it, “password”.) Credential cracking is when hackers utilize high-power processors (often in the form of gaming graphics cards), algorithms, and bots to guess someone’s username and password. Usernames are easy to guess, especially on corporate accounts since it’s often the person’s name and the company’s domain name. As you’ve seen, passwords are sometimes not much harder. In addition to credential cracking, many hackers employ social engineering schemes to obtain passwords and speed time to access the account. 

Dollars and cents

The impact of account takeover (ATO) attacks is immense. Lost revenues worldwide are in the billions, while negative impact on reputation and trust can be just as damaging to the bottom line.  While much of the focus is on the dangers ATOs pose to individuals in the form of identity theft and emptied bank accounts, how hackers link personal credentials to business accounts is often missed. The link often begins benignly enough when employees use their corporate email to register for third-party websites—not in defiance of corporate policy, but for convenience. If that third-party provider, be it a storage provider or trade publication, is breached, the hacker now has the employee’s professional email and, potentially, a corporate password.  Reusing corporate passwords for personal and work-related purposes along with poor password hygiene (e.g., 123456) are particularly dangerous because the reuse makes the hackers’ job much easier. Why use expensive, technically challenging, and time-consuming approaches like brute force, when it’s much easier to steal (or buy) a poorly protected email subscriber list and then escalate attacks (usually via phishing emails) from there? Because of the threat ATOs represent, organizations are working harder than ever to stop these attacks. The first step most organizations have already taken is demanding stronger passwords. The next is setting policies prohibiting the use of corporate passwords for personal accounts and requiring mandatory password changes every 90 days.

Falling short

While these security measures work well, they only go so far. Ideally, organizations should embrace measures to ensure user credentials never become compromised in the first place. And the best way to do this is to continuously scan for database leaks across your organization, your extended network of suppliers and service providers, the Internet, and the Dark Web.  Why? Because you can’t stop what you can’t see. Unprotected databases and documents can be anywhere. That’s why smart security organizations have embraced CybelAngel’s Digital Risk Protection Platform. CybelAngel continuously looks for and scans exposed databases and alerts your security teams with contextualized leak reports if problem credentials or documents are detected. If credentials are stolen, or otherwise exposed and put up for sale on the Dark Web, you need to know that, too. By detecting these exposed credentials, organizations can act before they fall into the wrong hands.

How credential hunting works

When a popular gaming application database was left open for anyone with a web browser (and no hacking skills) to access, millions of plain-text email addresses and passwords were exposed in the open along with 1.25 million credit and debit cards. Unfortunately, for a global bank, dozens of its employees signed up for a gaming service using their corporate email addresses and passwords. This exposed data made the bank a prime target for an ATO attack. Within hours CybelAngel’s Digital Risk Protection Platform had detected the exposed employee email addresses and passwords.  CybelAngel achieves similar results for hundreds of organizations around the world by sifting through billions of email addresses and assessing thousands of new databases, servers, and files to find exposed critical data before your organization’s leadership learns about the problem in the headlines.   To learn more about CybelAngel’s Account Takeover Solution and Credentials Watchlist, CLICK HERE. We are standing by to talk to you.