With the rapid adoption of cloud services like Microsoft’s Office 365, and the distributed workforce, the risk of account takeover (ATO) fraud is increasing at alarming rates. According to a recent Sift index, “ATO fraud attacks have especially spiked by almost 282% from the second quarter of 2019 until the second quarter of 2020”.
According to a recent Sift index, “ATO fraud attacks have especially spiked by almost 282% from the second quarter of 2019 until the second quarter of 2020”. And we anticipate these numbers will continue to climb as more businesses move operations to the cloud.
Account takeover is a form of identity theft and fraud, where a malicious third party successfully gains access to a user’s account credentials. Once initial access is gained, the damage chain can magnify quickly, with the threat actor using the compromised account to send messages to other employees inside the organization (or beyond) to inflict their damage. In fact, in ATO most cases have seen lateral movement across the network and supply chain almost immediately.
How do Account Takeovers occur?
- Phishing Scams: Phishing attempts often appear as a pop-up or an email indicating that account credentials are ‘suspended’, need to be ‘verified’ or ‘reset’. Unsuspecting users follow the prompts, ending on a well-crafted landing page where they are prompted to enter credentials. Attackers then have the login credentials and access to the account, immediately setting up forwarding rules on the account to surmise the user’s communications patterns (internal and external to the organization). This knowledge can be used as leverage for future attacks such as ransomware or other advanced threats.
- Password-based Attacks:
• Credential Stuffing: One of the simplest forms of attacks is to, by brute force, use common passwords and credentials compromised by attackers in public breaches to attack organizations and hope for a hit. Considering that as many as “65% of people reuse the same password for multiple or all accounts”, according to a 2019 security survey conducted by Google, attackers have been pretty successful.
• Password Brute Forcing: Attackers may also try to gain access to accounts and credentials by brute forcing their way into a network, submitting many passwords or passphrases on the odd chance that they get one correct. These attacks generally have a low yield, but due to the low level of password ‘intelligence’ required, they are a quick go-to for attackers.
• Password spraying: Attackers may also try password spraying which uses a relatively small number of passwords one at a time across all known accounts sequentially. The advantage of password spray is that it can avoid account lockout.
- OAuth Consent Phishing: Sometimes known as ‘App Attacks’, OAuth attacks occur when threat actors leverage an Oce 365 app created using information stolen from a legitimate organization. The attacker sends an email, text or other communication purporting to be from Microsoft asking users to complete an action.
All of the above could lead to big disruptions to both the user and the business. So what can be done to prevent it, or at least mitigate the potential damage?
Download our Threat Insight report for more information.