What to Do After an Account Takeover

Account takeovers are a shockingly common and consistently damaging attack that occurs when a malicious actor gains access to an organization’s sensitive data through a compromised account. These attacks are often financially devastating. In fact, IBM reports that the average breach caused by stolen credentials costs organizations upwards of $4.62M.

Here, we'll explore why account takeovers work, provide an example of a real-world attack, discuss how to detect and remediate account takeovers, and how Abnormal approaches the issue. With this knowledge, businesses and individuals can better protect themselves from the devastating effects of account takeovers.

Account takeovers can occur in a variety of ways, whether that be through session hijacking due to authentication token theft or forgery, traditional phishing, social engineering, credential stuffing, or even SMS or voice phishing (smishing and vishing, respectively). At their core, however, account takeovers are often enabled by a combination of advanced attack methods and weak security measures.

Once attackers have compromised a user’s email credentials, they can use the account to send malicious messages, steal confidential data, or gain access to other accounts linked to the victim’s credentials through SSO. This means that an attacker can cause significant damage in a short period of time if the right security measures aren’t in place. By understanding why account takeovers work and taking steps to prevent them, businesses and individuals alike can better protect themselves from fraudsters who try to exploit weak security systems for their own gain.

Account takeovers can affect even the most secure organizations, often due to the simplest misconfiguration or oversight.

Take Tesla for example, researchers discovered a vulnerability in one of Tesla’s internal applications. The Tesla Retail Tool (TRT) stores sensitive financial and administrative data, and once an employee leaves Tesla, it is assumed that they can no longer access the account as that user’s email is deactivated.

However, researchers found that the deactivated emails of past employees still existed in Tesla’s network. Further, they discovered that a user can use a corporate Tesla email to externally register for access to the TRT, meaning that these non-employee researchers—with nothing more than the dormant email address of a past employee—could register as a TRT user, access the application, and effectively take control of that account.

While the Tesla attack is not entirely centered on email, the moral is that even the most benign bit of data (in this case a corporate email address without a password) can be used to execute an account takeover. And often, this is a lack of security visibility into the behaviors that indicate an account takeover has, in fact, occurred.

Let’s consider a hypothetical: you’ve discovered a compromised account. You don’t know how long it’s been compromised. You don’t know what that user has accessed. You need to investigate. What do you do?

An effective account takeover response is essential for businesses and individuals to protect themselves from further damage—and assess any damage that has already been incurred. There are several steps that can be taken to ensure an effective response:

• Notify affected users: When a breach has occurred, it’s essential to notify affected users of the attack immediately and provide instructions on how to take action. It’s important to keep these notifications secure and provide clear instructions on what steps they should take next.

• Reset passwords: If any passwords have been compromised, reset them immediately. This will help contain the breach and protect other accounts associated with your user base.

• Monitor accounts: Monitor your user accounts for suspicious activity and be sure to report any unusual behavior immediately. This could include login attempts from unknown locations or large amounts of money being transferred out of accounts without authorization.

• Educate users: Educate all users on best practices for creating secure passwords and protecting personal information, such as not using the same password across multiple sites or writing down passwords in plain sight.

• Monitor network traffic: Finally, monitor your network for any malicious traffic connected with the attack, such as phishing campaigns or malware downloads that could cause further damage if left unchecked.

By following these tactics, businesses can help protect themselves from further damage caused by account takeovers while also ensuring their customer data remains safe from unauthorized access.

Ideally, though, in this era of AI-based security—and in the face of a cybersecurity skills gap limiting the time and resources security teams can spare on manual investigation and remediation—the most effective way to combat account takeover via the outlined steps is with a security solution that can automate the detection, the remediation, and provide contextual insights to aide investigation.

Abnormal utilizes various AI models and methodologies when detecting account takeover attempts. Through the ingestion of thousands of behavioral signals, Abnormal determines a baseline of behavior for all employees in your organization—from typical devices and IP addresses to login locations, communication patterns, and whether a user has elevated account privileges or made changes to conditional access policies. Abnormal then builds a comprehensive behavioral case timeline and automatically remediates when an account takeover is positively detected.

Abnormal not only detects deviations from normal behavior but determines the severity of an account compromise, building a comprehensive Abnormal Case that can be used for further investigation.

“I really like the account compromise feature that auto-detects threats and locks users out of those mailboxes. That was the real cherry on top for me because it gives me peace of mind that not only is Abnormal blocking all the attacks, but also that if one actually succeeded, Abnormal auto-remediates that mailbox." — Jim Robinson, CIO, SuperConcepts

Through this extensive detection and automated remediation, Abnormal can identify the initial signs of compromise, help determine when an attacker is attempting to establish persistence, and immediately block access to the compromised account.

Interested in learning more about how Abnormal protects you from account takeovers? Schedule a Demo today!