Account Takeovers (ATOs): Why They Happen, What Organizations are Doing to Prevent Them, And Why it's Not Enough

September 10, 2020

Account Takeovers (ATOs) are a major threat to organizations around the world. This common form of attack occurs when a cyber criminal uses legitimate credentials to gain unauthorized access to user accounts. Once inside, the attacker may steal data  (PII or sensitive corporate data), steal money, and perform fraud campaigns. Each year, organizations lose millions of dollars in account takeover attacks.

But to start, let’s understand how attackers get their hands on legitimate credentials; Though there are many ways attackers can acquire credentials, there are a few main methods used:

  • Attackers may harvest credentials using credential-phishing campaigns or by buying them on the Dark Web, sold in third-party data leaks.
  • Credentials can be harvested via devices infected with keylogging malware which sends the recorded data back to the attacker. The attacker then uses the stolen credentials to gain additional access or escalate privileges.
  • Brute force attacks, in which attackers attempt to guess passwords by systematically inputting entire dictionaries and lists of common passwords, are another way to get a hold of legitimate credentials.
  • Credential stuffing, wherein attackers use bots to stuff known usernames and passwords into logins to attempt to gain access, is another common method used.

Once the attacker has the credentials and makes their way inside, takeovers can go unnoticed for a great deal of time--and sometimes, they are never even discovered. This malicious actor on the inside can put your data and reputation in danger and can leave your organization in violation of regulations such as CCPA and GDPR.  

Just how Prevalent are ATOs in Organizations?
  • According to credit rating giant Experian (no stranger to damaging fraud attacks, mind you), 57% of organizations say they have fallen victim to ATOs over the course of 2020.
  • Javelin Strategy and Research in 2019 found that “Account takeover accounted for $4 billion in losses last year, which was slightly down from the year prior ($5.1 billion), but was up significantly when compared to data in recent years.”
  • In 2019, the FBI called Business Email Compromise (BEC) Account Takeovers the $26 billion scam and noted that “Between May 2018 and July 2019, there was a 100 percent increase in identified global exposed losses”.
Why are Account Takeovers so Common?

There are many reasons that account takeover attacks are a popular attack method. But a main driver currently is the prevalence of SaaS applications used across organizations today. These platforms hold a wealth of critical corporate data, which has made them a favorite target for attackers looking to launch account takeovers. Office 365, for example, with its 180 million users and easy access to communication channels and stored data, has become a preferred attack vector. In fact, according to Microsoft’s own stats, Office 365 experiences more than 300 million fake sign-in attempts--per day. Attackers use the stolen credentials to gain access and launch attacks from inside the application.

But it's not just MS’s productivity platform that is targeted--In 2019, the ever-popular Slack was found to be harboring a security flaw that allowed attackers to initiate automated account takeovers. And not only are they easy to execute, they turn a great profit; with as little as $100, the attacker can acquire the stolen credentials and brute force or credential stuffing tools needed to pull off massively damaging attacks.

How do Organizations Try to Prevent Them

Organizations and the SaaS platforms themselves invest a huge amount of money and resources into trying to prevent account takeover attacks. But the very same elements that make SaaS applications so useful for organizations--access to vast amounts of storage and simplified communication and collaboration--continue to make them appealing targets for account takeovers.

There are some defenses organizations use to try prevent these attacks:

Fortified Password Hygiene -  Using stronger, better passwords seems like a decent place to start when thinking about how to fortify account security. But here’s the thing about passwords; We all know that for a password to be secure it must be a long, random, and difficult-to-guess string of letters or words. People just aren't wired for randomness and what we think is hard to guess is often a piece of cake for an attacker. And according to Google, nearly 66% of people reuse passwords from account to account and there’s a very high likelihood that other accounts belonging to the same user will be accessible with the same passwords. Moreover, with the right tools, as mentioned above, even the most random and unique passwords can, in time, be cracked.

Multi-factor Authentication (MFA) and Single Sign On (SSO) - These two preventive measures are tightly coupled and both play an important role in preventing account takeover attacks since they provide extra layers of security to the main login method i.e., the web interface. But there are many legacy authentication protocols that don't support MFA and almost all SaaS platforms have ways to bypass SSO governance for the purpose of resiliency, making these methods less than 100% effective.

Continuous Monitoring of Accounts - A common approach to prevent account takeovers is constant monitoring for potential signs of a breach, such as suspicious logins from new browsers, devices, and locations; multiple password reset attempts in close succession; the implementation of new and questionable mailbox settings and configurations; the turning off of MFA, etc. But by nature, these attacks look like normal user behavior and thus, these behaviors may fly under the radar of continuous monitoring solutions.

The Automatic Answer to Preventing Account Takeovers

To prevent account takeovers, you need to get full and automated control over your SaaS applications. With SaaS security posture management, you can detect weaknesses in real time and address them before attackers have the opportunity to make use of them by:

  • Identifying the users and platforms that can bypass SSO (for example, by design, super admins in certain SaaS platforms authenticate directly against the platform to ensure connectivity when in an IdP outage situation). For those, deploy app-specific MFA and ensure that you’ve configured password policies for these users;
  • Identifying legacy authentication protocols that don’t support MFA and that are in use in your company, such as IMAP and POP3 for email clients. You can first reduce the number of users using these protocols and then create a second factor, such as a specific set of devices that can use for such legacy protocols;
  • Ensuring that your platform’s built-in auditing is fully functional. (In some SaaS platforms, not all audit settings are turned on by default.);
  • Periodically reviewing all sign-in audit logs;
  • Reviewing unique indicators of compromise, such as forwarding rules that are configured in email applications, bulk actions, etc. Such indicators may be different between SaaS platforms and therefore require intimate knowledge of each platform.

With Adaptive Shield, you can fine tune your SaaS native security controls to understand the full picture and see all the gaps and loopholes that exist to prevent account takeovers across all your applications. By extending visibility across your entire stack, you can fix issues immediately and keep your organization from experiencing the damaging impact of ATOs. To learn more about extending automatic control across your SaaS applications, get in touch with us today.

About the writer

Maor Bin
CEO & Co-Founder
Account Takeovers (ATOs): Why They Happen, What Organizations are Doing to Prevent Them, And Why it's Not Enough
A former cybersecurity intelligence officer in the IDF, Maor has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his BSc in Computer Science and is CEO and co-founder of Adaptive Shield. Oh and he is a globally-ranked chess player.
GDPR Compliant
ISO 27001 Compliant
ISO 27001 Certified
ISO 27701 Certified
SOC 2 Compliant
Cyber GRX