Connect with us

Hi, what are you looking for?



Don’t be Overtaken by Account Takeovers

With numerous instances of account takeovers impacting companies like Groupon, TeamViewer and Camelot, the company that operates the U.K.’s National Lottery, as well as the recent breach of the Anti Public tool that’s used for verifying the legitimacy of hacked credentials, it’s time to take a closer look at these attacks and how to mitigate risk.

With numerous instances of account takeovers impacting companies like Groupon, TeamViewer and Camelot, the company that operates the U.K.’s National Lottery, as well as the recent breach of the Anti Public tool that’s used for verifying the legitimacy of hacked credentials, it’s time to take a closer look at these attacks and how to mitigate risk.

Account takeover occurs when a malicious actor gains access to a user’s account by stealing their username/email and password, often through password dumps, phishing or malware. Verizon’s 2017 Data Breach Investigations Report (DBIR) points to billions of credentials leaked online and up for grabs by cybercriminals. Chances are that some of these credentials may come from your organization, not to mention third parties with whom you do business, or other services your employees or customers use. I’ve written before about the dangers of mixing business with pleasure and reusing corporate credentials for personal use. The DBIR echoes this, pointing out that, “even though components of authentication weren’t compromised from you, it doesn’t mean they were not compromised…if you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned.”

So what can you do to mitigate risk? To better understand those steps, let’s take a closer look at what these attacks entail.

The barrier to entry for account takeovers is quite low. They begin with stolen credentials and there’s a wide range of vendors providing various packages priced anywhere from a few dollars to a few thousand depending on the quantity, source and age of the exposed credentials.

With credentials in hand, attackers often turn to automation since time is of the essence as the value of credentials drops every day. Instead of manually entering username and password pairs into target sites, free software is available to help adversaries automatically inject compromised credentials into login portals. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found.

Additional credential-stuffing software – available for a nominal fee on forums, marketplaces and social media – helps adversaries to maximize the success of the attack. For example, a configuration file maps out the specific aspects of a target site so the software knows where to attempt logins. Proxies are also available to make it more difficult for the target to recognize an IP address and blacklist it. With access to the account secured, even novice attackers can be well on their way to a quick profit – hijacking it for a variety of purposes, including financial fraud, phishing and spam.

So how can you mitigate risk? To protect your organization against account takeovers, here are seven steps you can take:

Advertisement. Scroll to continue reading.

1. Monitor for leaked credentials of your employees. Troy Hunt’s is a great resource for this, alerting you to instances of breaches including your organization’s email domain.

2. Monitor for mentions of your company and brand names across cracking forums. This can help to inform the security solutions you invest in. Use Google Alerts for this – Johnny Long offers some great tips for doing so and it can provide a good identification of the specific risks to your business.

3. Monitor for leaked credentials of your customers, allowing you to take a more proactive response.

4. Deploy an inline Web Application Firewall. Commercial and open source web application firewalls, like ModSecurity, can be used to identify and block credential stuffing attacks.

5. Increase user awareness. Educate your staff and consumers about the dangers of using corporate email addresses for personal accounts, as well as reusing passwords.

6. Gain an awareness of credential stuffing tools. Keep an eye on the development of credential stuffing tools, and monitor how your security solutions can protect against evolving capabilities.

7. Implement multi-factor authentication (MFA) that doesn’t leverage SMS text messaging. There are several instances of threat actors bypassing mechanisms that rely on SMS messages to deliver temporary tokens. In August 2016, the National Institute of Standards and Technology called for the end of using SMS as part of MFA. While MFA can help to reduce account takeovers, make sure this is balanced against the friction it can cause with enterprise uses and customers.

Attackers will continue to evolve their methods for account takeovers as their targets get wise to their ways. However, by using best practices to protect credentials, while at the same time monitoring for leaked credentials and changes in the tools attackers use, you can mitigate the risk of account takeovers to your organization.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.