With numerous instances of account takeovers impacting companies like Groupon, TeamViewer and Camelot, the company that operates the U.K.’s National Lottery, as well as the recent breach of the Anti Public tool that’s used for verifying the legitimacy of hacked credentials, it’s time to take a closer look at these attacks and how to mitigate risk.
Account takeover occurs when a malicious actor gains access to a user’s account by stealing their username/email and password, often through password dumps, phishing or malware. Verizon’s 2017 Data Breach Investigations Report (DBIR) points to billions of credentials leaked online and up for grabs by cybercriminals. Chances are that some of these credentials may come from your organization, not to mention third parties with whom you do business, or other services your employees or customers use. I’ve written before about the dangers of mixing business with pleasure and reusing corporate credentials for personal use. The DBIR echoes this, pointing out that, “even though components of authentication weren’t compromised from you, it doesn’t mean they were not compromised…if you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned.”
So what can you do to mitigate risk? To better understand those steps, let’s take a closer look at what these attacks entail.
The barrier to entry for account takeovers is quite low. They begin with stolen credentials and there’s a wide range of vendors providing various packages priced anywhere from a few dollars to a few thousand depending on the quantity, source and age of the exposed credentials.
With credentials in hand, attackers often turn to automation since time is of the essence as the value of credentials drops every day. Instead of manually entering username and password pairs into target sites, free software is available to help adversaries automatically inject compromised credentials into login portals. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found.
Additional credential-stuffing software – available for a nominal fee on forums, marketplaces and social media – helps adversaries to maximize the success of the attack. For example, a configuration file maps out the specific aspects of a target site so the software knows where to attempt logins. Proxies are also available to make it more difficult for the target to recognize an IP address and blacklist it. With access to the account secured, even novice attackers can be well on their way to a quick profit – hijacking it for a variety of purposes, including financial fraud, phishing and spam.
So how can you mitigate risk? To protect your organization against account takeovers, here are seven steps you can take:
1. Monitor for leaked credentials of your employees. Troy Hunt’s https://www.haveibeenpwned.com is a great resource for this, alerting you to instances of breaches including your organization’s email domain.
2. Monitor for mentions of your company and brand names across cracking forums. This can help to inform the security solutions you invest in. Use Google Alerts for this – Johnny Long offers some great tips for doing so and it can provide a good identification of the specific risks to your business.
3. Monitor for leaked credentials of your customers, allowing you to take a more proactive response.
4. Deploy an inline Web Application Firewall. Commercial and open source web application firewalls, like ModSecurity, can be used to identify and block credential stuffing attacks.
5. Increase user awareness. Educate your staff and consumers about the dangers of using corporate email addresses for personal accounts, as well as reusing passwords.
6. Gain an awareness of credential stuffing tools. Keep an eye on the development of credential stuffing tools, and monitor how your security solutions can protect against evolving capabilities.
7. Implement multi-factor authentication (MFA) that doesn’t leverage SMS text messaging. There are several instances of threat actors bypassing mechanisms that rely on SMS messages to deliver temporary tokens. In August 2016, the National Institute of Standards and Technology called for the end of using SMS as part of MFA. While MFA can help to reduce account takeovers, make sure this is balanced against the friction it can cause with enterprise uses and customers.
Attackers will continue to evolve their methods for account takeovers as their targets get wise to their ways. However, by using best practices to protect credentials, while at the same time monitoring for leaked credentials and changes in the tools attackers use, you can mitigate the risk of account takeovers to your organization.