5 Unique Ways Hackers Compromise Accounts That Aren’t Phishing

Every single day, multiple cyberattacks and data breaches occur, each using a variety of different methods. You might read an article about cybercriminals gaining access to a bank through a phishing email or exploiting a web application vulnerability listed in the OWASP Top 10.

On cybercrime forums and networks, cybercriminals often discuss techniques that aren't as straightforward as these common methods—and thus, may not be as easy to prevent. Here, we'll look at five of the most commonly discussed account takeover strategies threat actors are exploring today and how you can ensure your organization is protected.

Cybercrime forums and networks have entire sections dedicated to initial access brokers (IABs) or access brokers. These individuals offer entry points into a variety of different enterprises and organizations, from small to medium-sized businesses to national infrastructures. IABs typically gain access through a variety of methods, including brute-forcing common protocols like RDP or SSH for weak account credentials, spear phishing, and credential stuffing.

IABs simplify the account takeover process, allowing even less sophisticated cybercriminals to carry out attacks by providing ready-made access—without the need to compromise accounts themselves. Preventing IABs from obtaining this initial access could disrupt the market for compromised accounts, making it much more challenging for attackers to further infiltrate organizations using the information they received from them.

Applications communicate with each other through application programming interfaces, commonly known as APIs. To access private resources, an API key may be issued. However, these API keys are frequently stored in plaintext format within codebases and can be leaked through exposed repositories.

Attackers then use these stolen API keys to access or steal whatever resources the account has access to and execute account takeovers. API keys can be accidentally exposed through:

• Exposed GitHub repositories
• Exposed S3 buckets
• Exposure through source code

There is even a public website where people can explore exposed buckets and repositories. With the correct search query, anyone can find hundreds of different API keys that have been leaked on the internet.

But of course, this isn't just limited to API keys; in reality, you can find almost anything. API keys are just one of the most popular assets that people search for because a hit usually provides some form of account access.

Once exposed, these API keys are often sold on cybercrime forums.

In the example above, you will notice a number of threads where users are buying or selling API keys. The account takeover risk for enterprises here is high, primarily because enterprises rely heavily on various APIs for their operations—making them more vulnerable to the misuse of these keys.

Cybercriminals will also initiate account takeovers through the use of look-up services. These tools provide access to expansive databases of specific private user information—typically for personal information like social security numbers, credit card information, or even passwords to accounts. These platforms exist for email addresses, cryptocurrency exchanges, and some people even sell access to international and national policing system lookups.

Until recently, one of the most common look-up services was a platform called ssndob.cc, which was eventually shut down; however, replacement services have recently surfaced.

The image above shows one of the look-up services that has replaced SSNDOB.cc. Users will enter any of the victim's details they already have, and if their SSN exists in the database, it will be provided.

SSNDOB.cc gained notoriety because it was incredibly accurate most of the time and could produce impressive results—the replacement service above has not been tested.

It’s important to note that many of these services are scams and don't actually work, but speaking from experience, there are a lot of legitimate look-up services like this which do in fact return valid hits.

In terms of enterprise and business risk, the victims here are typically high net-worth individuals, employees, or business owners. If someone is performing this type of lookup against you, generally speaking, you're being targeted on an individual basis, whereas more widespread attacks like phishing can be sent to thousands of people at a time, making them far less targeted.

One-time password (OTP) panels are also frequently advertised on cybercrime forums. Generally speaking, cybercriminals will provide a target phone number and name. Then the service initiates an automated call, alerting the target about unauthorized activity on their account and prompting them to enter an OTP token generated by their phone's application. The code is then relayed back to the cybercriminal's panel.

In the example above, you will see a feature list for a prominent OTP panel. This specific panel focuses mostly on voice calls. Users can sign up, specify a phishing template, and then have an automated machine call the number that they have entered to capture the OTP.

Some OTP panels are more sophisticated than others, offering a wider range of features designed to trick victims into revealing their passwords. While these methods typically target consumers, they can also be used for business applications—prompting employees to provide access to everything from email accounts to HR platforms.

Relatedly, SIM swapping is another account takeover strategy that's highly targeted and usually targets high net-worth individuals, employees, or business owners. In a SIM swap, attackers transfer the victim's phone number to a new SIM card under their control.

Cybercriminals collaborate to carry out SIM swaps, as indicated by threads on cybercrime forums where users offer or seek SIM swap services for various carriers like AT&T, T-Mobile, and Verizon. These discussions indicate that SIM swapping remains a significant threat.

Sometimes, the collaboration involves corrupt insiders at telecom companies who facilitate the swap, allowing attackers to intercept SMS-based OTPs and take over accounts. Once the swap is complete, the attacker's phone receives all calls and text messages intended for the victim, including one-time passwords for account access.

After a successful SIM swap, the attacker can:

1. Receive and use SMS-based two-factor authentication codes.
2. Reset passwords for various accounts linked to the phone number.
3. Impersonate the victim in communications.
4. Utilize the accounts to steal money, send additional attacks, or move into connected applications.

While the threat of account takeover attacks has always been significant, recent technological advancements have made it easier for cybercriminals to deceive end users into surrendering their credentials. When attackers use these methods (or see success in any other way), the impact can be both widespread and immediately devastating.

Unfortunately, traditional tools that security teams depend on to detect and thwart these attacks are no longer sufficient. The lack of cross-platform visibility and limited control over the full range of enterprise applications highlight the urgent need for a new approach to account takeover detection and remediation.

No matter how cybercriminals get into the account, Abnormal takes a proactive approach to account takeover protection, leveraging advanced machine learning and behavioral analytics to detect unauthorized access to user accounts and automatically remediate them. By continuously monitoring login attempts, user behavior, and email activity, the Abnormal solution can identify anomalies indicative of account compromise, ensuring that compromised accounts are swiftly detected and secured and minimizing the risk of data breaches or other unauthorized activities.

To learn more about how modern security leaders are tackling the challenge of account takeover, download the 2024 State of Cloud Account Takeover Attacks below.