How to Mitigate Security Breaches Due to Account Takeover

Written by Chip Bell on March 19, 2021

Share This Article

Account takeover (ATO) attacks might not be in the headlines every day, but they’re certainly on the rise in enterprise environments. Account takeover attacks result in billions of dollars in losses each year due to brand damage, lost resources, and fraud. A 2017 survey showed the annual total loss for account takeover attacks to be $5.1 billion USD. But before we can understand how to prevent it, we need to take a step back and understand what an account takeover attack actually is.

What is an Account Takeover Attack?

An account takeover attack is a form of identity theft and fraud typically associated with accessing enterprise IT networks and resources. In these situations, a malicious third-party hacker gains access to a user’s account credentials through various means, including the use of compromised passwords lists and direct phishing attacks (often called spear phishing). Once the attacker has unfettered access to the account, they can change account information, send out phishing emails to access other accounts to gain potentially more access, steal financial data, or even obtain sensitive company data. 

With organizations experiencing a digital transformation like never before, it’s no surprise that ATO attacks are seeing a dramatic increase. Employees were already growing more comfortable logging into their software, websites, and corporate intranets via web portals, SSO prompts, and more, but now that employees are all working remotely, this particular trend has accelerated greatly and thus the chances for ATO attacks succeeding are even higher. All it takes is an employee clicking on a single phishing email, unintentionally sharing their credentials or allowing malware to install which could record them later, and the attacker is in the system.

In a recent report by UC Berkeley, examined 159 compromised accounts that spanned 111 organizations. In the report, they found that in 98% of compromised email accounts, hackers accessed at least one email-related Office 365 app, such as Outlook as to give a swift method for an attacker to gain access to contact lists and learn about any confidential information tied to the employee.

Who is Most at Risk for an ATO Attack?

The departments most at risk for an account takeover attack tend to be information technology, human resources, and senior leadership across the organization, since these groups have more access to sensitive data, financial information, and security infrastructure.

  • A NuData Security report said in the latter half of 2019, sophisticated attacks grew 430%. A sophisticated attack attempts to emulate a user’s behavior, increasing its likelihood of succeeding. It displays the expected browser or application behavior and runs scripts in the environment to create a human-like appearance.
  • February 2020 saw the most attacks for retail, digital goods, and travel; September 2020 was the most popular month for financial institutions.
  • Manual attacks attempted by humans are growing significantly.

How Does an ATO Attack Succeed?

The number one reason an account takeover attack happens is due to password reuse. When employees use the same password across all of their corporate and personal accounts, the chances of ATO attacks go up significantly. When a service is compromised, those credentials generally end up on leaked password lists which are sold through black markets around the world, from which hackers can see what other services they can log into using that information. 

A 2020 survey by InfoSecurity Magazine showed that: 

  • 45% did not consider password reuse to be serious
  • 52% share their streaming site passwords
  • 31% use the same password for streaming sites as they do for other ‘more sensitive’ accounts, such as online banking
  • 21% don’t know whether those with who they share their passwords also share with other people

According to a survey conducted by Google in 2019, the most staggering statistic is that 65% of people reuse the same password for multiple or all accounts.

In 20% of all ATO cases, compromised passwords were listed in at least one previous password breach, suggesting that attackers exploit credential reuse to hijack accounts, either through credential stuffing or similar automated techniques. However, phishing is still a popular way to obtain login information and access. Social engineering is still used, and it’s not nearly as hard as you’d think.

What’s at Risk with ATO Attacks?

The list of at-risk items with respect to a successful ATO attack on an enterprise user is quite long. Anything the employee has stored in their email, corporate document solution, or applications behind SSO are all at risk with a successful attack. Once an employee is breached, their information will likely be used to phish other employees for further access. 

In truth, the only assets safe from an ATO attack are those not accessible by the targeted employee, which means it’s just a matter of time before the attacker has access to the right set of accounts. So instead of asking what’s at risk with ATO, it’s better to simply realize the answer is everything, and assume you must have a strategy in place to identify, mitigate or outright prevent them properly.

How to Prevent Account Takeover Attacks

User Education and Training

User education is one of the most important ways to prevent ATO attacks. By educating employees about password reuse and staying safe online, many attacks will be thwarted from the get go, and opportunistic attackers will move on. 

However, employee education isn’t the only way to prevent problems with ATO, and shouldn’t be your only course of action. On the technical side, an IT department can deploy conditional access policies to create an environment that becomes more secure over time.

Password Reset Policies

It can be challenging to implement, either due to insufficient tools or backlash from the employee base, but password reset policies can go a long way to keep ATO attacks at bay. 

If your critical systems or single sign-on platform forces users to change their passwords regularly, then a potentially breached credential of an employee that had been reused to access a corporate application or device will have a defined shelf life. Every organization will have to strike a balance between the frequency and parameters of change versus the willingness and potential IT ticket increase from the workforce when implementing this policy; however, even a fairly generous policy will (over time) minimize the effectiveness of these attacks.

Verification through Multi-factor Authentication

Verifying a user’s identity is a critical step to preventing ATO. It’s not enough just to use a strong password, though. By implementing a multi-factor authentication system, you’ll have a potent weapon against an ATO attack even if credentials are compromised. 

Without access to the physical device, fob, or biometric indicator that contains the second factor, remote attackers will have no recourse to access the accounts they need to deepen their foothold. It is also recommended to reduce or eliminate the use of email-based verification, especially for critical systems and applications, as attackers can bypass this mitigation strategy completely if they are able to phish or social engineer their way into an email account directly. 

Effective Monitoring of Devices and Networks

By implementing a combination of device management and location (IP) monitoring, IT departments can identify malicious behavior as it happens, like alerting for unusual login patterns. If you know an employee resides in New York but is suddenly attempting to login from Seattle, you’ll immediately know there is an ATO attempt in progress. IT must know which devices are in use and where they are located to spot irregular patterns better.

Evaluate JumpCloud Free Today

If you’re new to JumpCloud and interested in learning more about the platform and how to achieve stronger security practices – including preventing Account Takeover Attacks, evaluate JumpCloud today! JumpCloud Free grants admins 10 devices and 10 users free to help evaluate or use the entirety of the product. Once you’ve created your JumpCloud account, you’re also given 10 days of Premium 24×7 in-app chat support to help you with any questions or issues if they arise.

Chip Bell

Chip is a Senior Product Marketing Manager at JumpCloud with a Bachelors in Environmental Geoscience from Boston College and a Masters in Education from The George Washington University. Chip loves to cook, hike, and NBA podcasts.

Continue Learning with our Newsletter