Mitigating the Growing Threat of Account Takeover Attacks in 2024
Account takeover (ATO) attacks have quickly risen to the top of the list of critical cyberthreats facing organisations today. Abnormal Security’s State of Cloud Account Takeover Attacks 2024 report reveals that over 60% of UK security leaders now rank ATOs among their top four concerns. This increased focus on account takeovers even surpasses the notorious threats of ransomware and spear phishing.
In an era where ATO attacks are becoming more sophisticated and frequent, it is imperative to understand the underlying factors driving this increase and what strategies organizations can employ to defend against them.
CISO of Abnormal Security.
What trends and developments have you observed in ATO attacks over the past year, particularly in terms of their frequency and impact on organizations?
Account takeover attacks are rapidly increasing in both frequency and severity. Attackers are increasingly focusing on account takeover attacks because gaining access to an account can immediately expose sensitive corporate or customer data, enable financial theft, and allow them to launch further attacks or move laterally within a network.
A study found that ATO attempts will increase by 427% in 2023 alone, highlighting their growing risk and potential to create significant financial losses for businesses. Given the destructive potential of ATOs, it’s no surprise that most security leaders rank these attacks among their top cyber threats.
These concerns are mostly based on experience – in fact, 75% of UK organisations we surveyed reported experiencing at least one ATO attack in the past year, with over a third experiencing more than five incidents. Some unlucky businesses were hit more than 10 times.
How have cybercriminals adapted their ATO attack tactics with the advent of new technologies like generative AI, and what are the implications for organizations?
Credential phishing is one of the leading culprits behind account takeovers, and the proliferation of generative AI tools over the past year has only exacerbated this problem, ultimately making ATO attacks much easier to execute. With the right prompts, generative AI can craft phishing emails that are nearly indistinguishable from authentic content. Tools like ChatGPT can create convincing and realistic phishing campaigns in seconds, increasing the effectiveness of social engineering tactics and increasing the likelihood that targets will give up their credentials.
Advanced threat actors have even gone so far as to create their own generative AI platforms, such as WormGPT and FraudGPT. Many are also finding ways to “jailbreak” ChatGPT, bypassing its protections against generating malicious content using carefully crafted prompts, known as “jailbreak prompts.”
The DAN (Do Anything Now) prompt and the Translator Bot prompt are notable examples. The DAN prompt manipulates ChatGPT to generate restricted content by roleplaying as an unrestricted AI. The Translator Bot prompt bypasses filters by framing inappropriate content as a translation task.
AI-generated phishing attacks are so dangerous because they are extremely difficult to detect. Normally, you would look for strange language, misspellings or grammatical errors, robotic tone, and other contextual indicators. With generative AI, however, attackers can create large amounts of convincing, human-like content.
As cybercriminals become increasingly successful with credential phishing attacks, this could lead to more instances of account takeover, underscoring the importance of comprehensive email security.
What are the top concerns of security leaders regarding account takeovers? Why are these attacks considered one of the biggest cybersecurity threats today?
The biggest concern about ATO attacks is their potential for extremely damaging consequences, including compromised customer privacy, compliance, data security, brand reputation, and operational integrity. It’s no surprise then that nearly all security stakeholders we surveyed agreed that preventing account compromise is a top priority.
ATO is particularly insidious because it places trusted contacts directly in the firing line. If cybercriminals can gain access to the account details of a trusted executive or supplier, this could not only expose sensitive information, but could also allow the attacker to make fraudulent financial transactions under the guise of their compromised victim. This means the scale of the damage is enormous.
These attacks are also alarming because they can occur via a variety of attack methods – not just email-based credential phishing, but also SMS and voice phishing, as well as more sophisticated tactics such as session hijacking via stolen or forged authentication tokens. The stealth nature of ATOs means they can go undetected for months, increasing their potential damage.
MFA is a widely used security measure, so why are some skeptical when it comes to ATO attacks?
Multi-factor authentication (MFA) has become a standard security enhancement and is recommended by government regulations such as NIST. While MFA can reduce the risk of account compromise, it is not bulletproof and is therefore subject to some skepticism. Our research found that only 37% of security leaders are confident in MFA’s ability to protect against ATOs.
One reason for this hesitation is the rise of MFA bypass tactics. Cybercriminal groups such as Robin Banks and EvilProxy are now offering MFA bypass kits for sale, which allow attackers to hijack active authentication sessions with stolen MFA tokens. This makes it easier for even less experienced hackers to bypass MFA protections. High-profile incidents such as the SolarWinds attack have demonstrated the vulnerabilities of MFA.
Research has shown a significant increase in MFA bypass attacks. A study by Kroll Advisory found that 90% of successful business email compromise attacks even occurred with MFA in place. These findings highlight that while MFA is a critical security measure, it does not provide complete protection against account takeover attacks on its own, requiring additional layers of security.
What solutions can help defend against the increasing ATO attacks and in which areas should companies make improvements?
Organizations use a number of strategies to mitigate account compromises, including MFA and encouraging the use of strong passwords or implementing secure sign-on (SSO).
While these are important layers of defense that can reduce the risk of account compromise, they cannot eliminate it entirely. Today’s sophisticated cybercriminals are smart enough to find ways to bypass these measures.
Security teams need to combine these controls with additional tools, including technologies that can create full visibility into the cloud ecosystem. Account takeover attacks often involve lateral movement between platforms, so teams need the ability to see, correlate, and analyze behavioral signals across these different applications and platforms. By analyzing these signals against baseline levels of user behavior to identify anomalies, organizations can improve their ability to detect potential account compromises quickly and with confidence.
Automated remediation is also critical, as it allows teams to quickly remove attackers from compromised accounts, such as logging out of all open sessions, blocking access, or resetting a password, before significant damage occurs.
This integrated approach, which provides complete visibility into the cloud application ecosystem and enables automatic remediation, is essential for improving ATO defenses.
We have highlighted the best online cybersecurity course for you.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here:
