Account Takeover Attacks are growing bigger and bolder every year. Many businesses unwittingly amplify the effects of each attack, adding fuel to a fire that rips through their cloud environments and decimates customer confidence and revenue. Keeping a tight fist on identity and access management (IAM) and account takeover prevention allows you to stop fraudsters impersonating your employees.
Two-Step Identity Theft
Central to any account takeover attack is the account itself. High-access accounts are goldmine to cybercriminals, as it takes them one step further to exploiting the IAM.
A business’ IAM (Identity and Access Management) is a complex system that boils down to allowing the right individuals the right level of access at the right time. Nabbing a decently high-access account can lead an impersonator straight to critical piles of data, so keeping malicious actors locked out is of vital importance.
It’s important to keep in mind that account takeover attacks span the width of entire life cycles, starting with stolen credentials, to account validation, which in turn fuel further attacks: all of which contribute to a cycle of malicious activity. As one attack sets off a chain reaction, let’s start with the first two steps of an account takeover attack.
The first step of an account takeover – assuming an employer doesn’t hand over login details for $200,000, as seen in the LAPSUS$ attacks – can usually be found in a recent data breach. Millions of data breaches occur per day, as criminals rip emails and login info from ecommerce companies, social media platforms and even government sites. Facebook became infamous for this throughout 2016 and 2021, as criminals gained access to user information through leaky APIs. This culminated in 2021 with the breach of 533 million user accounts, as emails and phone numbers were stealthily scraped and stored for future malicious use. This is far from the largest data breach of all time, mind you – that award goes to Yahoo, for its massive breach of every single user account it had – all 3 billion email addresses.
So, you’ve got a list of email addresses. To turn these into usable attack vectors, an attacker will need to validate these credentials. Bots become incredibly useful in this process, as attackers can chop and change login information, seeing which are correct and which can be discarded. This is a process called credential stuffing. Across millions of login attempts, spread through thousands of sites, the average success rate is less than 1%.
However, consider the massive quantity of Yahoo’s breached emails – 1% of 3 billion is still ten million successfully infiltrated accounts. This percentage rises if attackers use a curated list of credentials from a recent data breach, too.
Now that a malicious actor is in control of an account, with a validated credential pair, they have a few options in front of them: they can sell that account to other cybercriminals, garnering impressive payouts. There are multiple markets on the dark web offering validated accounts for different prices, ranging from a few dollars to several tens of dollars per validated account if it’s on a coveted website.
Regardless of whose hands these validated accounts end up in, the next step is to make use of them. Accessing the data stored within that account can lead to further account compromise – for example, it can lead an attacker to backup emails, phone numbers, and banking information. Should an employee’s account become compromised, it can be a short and slippery slope to an attacker gaining access to a company’s database.
Growth of Cloud Usage
Cloud storage has totally revolutionized business infrastructure. Instead of relying on physical hardware, whirring and heating up one corner of an office, a business’ systems can remain as flexible and scalable as the company demands.
2020 saw even more dramatic increases of end-user spending on cloud platforms. Public cloud services grew from $270 billion in 2020, to £332 billion in 2021; already a lifesaver for many companies, the events of 2020 and the global pandemic pushed even more businesses toward non-physical data storage.
One of the cloud’s incredible benefits is its accessibility. As established throughout the pandemic and beyond, cloud infrastructure allows a company to become global in scope, sharing data across countries and continents.
However, as more and more businesses take advantage of the cloud’s capabilities, there is significant risk that this accessibility becomes dangerous.
The Danger of Excessive Permissions
Once an attacker has gained control of an account, they can essentially infiltrate a company’s cloud. Acting under the guise of an employee, they can snoop on anything the user typically could.
Under normal, legitimate use, an employee would only bother accessing the data they need on a day to day basis. Whether that’s patent-protected blueprints; the company’s legal documents; or in-development software. Unfortunately, some businesses take this assumption and build their security architecture around it.
This means that a software dev may have access to legal documents – sure, they won’t use it, but there’s no guarantee that they’re the ones behind the screen.
99% of cloud accounts are given more permissions than they need. Unit 42 researchers looked at more than 18,000 cloud accounts at over 200 different companies – almost all of them were a ticking access time bomb.
How to Prevent Account Takeover Attacks
Managing cloud account takeover risks falls in line with the process of overall good cybersecurity. Firstly, address the risk of the accounts you rely on. Enforce regular password change policies – and encourage the use of password managers for any employees struggling with this.
Alongside regular password changes, setting up 2 Factor Authentication can be another layer of defense against credential stuffing. If setting up 2FA for every single account isn’t feasible, then prioritize 2FA for high access accounts and establish a CAPTCHA on your site to foil bot access attempts.
From here, you’re already at a lower chance of becoming a victim of attack takeover attack. However, there are further steps you can still take. Third-party security providers offer multi-layered, intent-based detection methods that identify and block malicious logins.