chat
expand_more

Cross-Platform Account Takeover: 4 Real-World Scenarios

Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
July 22, 2024

Account takeover (ATO) is a well-known attack method that has been documented for years. However, a less common type of attack occurs when ATO is used as the initial attack vector to gain access to another account, this is known as cross-platform ATO. In this article, we’ll showcase four scenarios where cross-platform ATOs can occur, taken from discussions on cybercrime forums and networks.

1. Compromised Email Credentials

Email accounts often contain (or can provide) a trove of sensitive information, such as password reset links, two-factor authentication codes, and financial records. If an attacker gains access to your email, they can impersonate you, reset passwords on your other online accounts, and intercept security notifications—enabling them to compromise nearly any other owned account.

On a cybercrime forum, a user demonstrated how they gained access to an email account through a business email compromise (BEC) attack, which typically involves social engineering tactics like phishing or spear-phishing. They later discovered that the account was connected to a bank that had received over $61 million to date. This is a prime example of cross-platform ATO.

Cross Platform ATO 1

By compromising the email account, they were able to access the connected bank account. We can assume that anyone buying this access would then use it to infiltrate the bank and steal the money—likely using the email account to reset the password and/or as a way to intercept MFA codes. Implementing stronger security measures that can immediately detect compromised email accounts, in addition to using hardware security keys and time-based one-time passwords, can significantly reduce cross-platform ATOs that originate from email.

2. Hijacked GitHub Accounts

GitHub is an increasingly attractive target for attackers because it often contains business-sensitive information, like private corporate repositories, API keys, and insights into your overall technology stack.

If you take a look below, you will see that an attacker offered to sell access to GitHub accounts and their associated API keys, claiming that cloud infrastructure was within their reach. If a user purchases access to a GitHub account, there is indeed a high likelihood that the repositories could contain secrets, API keys, or even SSH keys that could be used to compromise infrastructure used by the organization.

Cross Platform ATO 2

From GitHub, the attacker can pivot in several ways to perform a cross-platform ATO. They can access private code repositories to exfiltrate intellectual property and sensitive data, which may include credentials for other accounts or services. Alternatively, they could launch further attacks by modifying source code, potentially affecting downstream applications or services that rely on the compromised GitHub repository.

3. Compromised AWS Credentials

Cloud infrastructure like Amazon Web Services (AWS) has become an important component of business operations, making cloud credentials a prime target for attackers looking to gain access into an organization. With AWS access, an attacker can spin up new resources, access sensitive data stored in S3 buckets or RDS databases, and even pivot to other connected services.

Looking at the screenshot below, a user offered corporate AWS access, with some accounts spending as much as $50,000 per month on infrastructure and operations. They stated that it's possible to ransom a company if the customer possesses the knowledge to navigate AWS; unfortunately, this is completely accurate.

Cross Platform ATO 3

It’s also important to note that users frequently share information on how to escalate privileges from compromised AWS accounts, going from simple AWS compromise to EC2 server access, S3 bucket access, and more.

Cross Platform ATO 4

If you take a look above you will find an example of text on a cybercrime forum where a rather detailed process is shared that explains how to go from basic AWS access to complete infrastructure takeover.

4. Stolen Slack Credentials

Slack has become a ubiquitous communication and collaboration tool for many organizations, and attackers recognize the value of compromising Slack accounts, as they can provide a gateway to sensitive corporate data and connections to other systems. In fact, this is exactly how EA Sports was compromised a few years—ultimately resulting in key sections of FIFA 2021 being released to the public.

Cross Platform ATO 5

In a thread on a cybercrime forum, one user claimed to have compromised a Slack account and compiled contact information for HR and finance teams, as well as received access to all company documents.

Although they were seeking assistance in monetizing this access, the reality is that they could easily use that insider knowledge to conduct cross-platform account takeover to another valuable application. They could social engineer a victim on Slack using techniques like pretexting or baiting or use insider knowledge obtained from chat logs and documents to create highly targeted phishing emails to other employees and gain access to their accounts.

Additionally, if the compromised account had Slack app integrations with appropriate permissions, the attacker could potentially gain access to other connected services, such as GitHub repositories, Jira tickets, or Google Drive documents.

Cross-Platform Account Takeover Protection

Don't let a single compromised account be the gateway to a devastating breach. Take action now to protect your organization from cross-platform ATO attacks.

Abnormal's Cloud Account Takeover solution is your first line of defense against these threats. Our advanced AI-native platform seamlessly integrates with the cloud and SaaS applications your organization uses daily, offering centralized visibility and control over user activities, roles, and permissions. By building a behavioral baseline for each user, Abnormal's AI continuously monitors authentication events and notable activities, detecting anomalies that indicate potential account takeovers.

When suspicious activities are detected, Abnormal quickly secures compromised accounts by blocking access, resetting passwords, and logging out active sessions. This rapid response significantly reduces remediation time and transforms the way security teams protect cloud identities.

Interested in learning more about how Abnormal protects your organization from cross-platform account takeovers? Schedule a demo today!

Schedule a Demo
Cross-Platform Account Takeover: 4 Real-World Scenarios

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B SOC Prod
Learn how AI-driven automation boosts SOC productivity by reducing false positives, addressing skills gaps, and enhancing threat detection. Discover strategies to future-proof your SOC and strengthen cybersecurity defenses.
Read More
B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More