Content
Account takeovers (ATOs) are a form of cyberattack where a hacker gains control of existing user accounts. Successful ATOs can result in a wide variety of catastrophic outcomes. When customer accounts are compromised, attackers can commit various forms of fraud, which on a large scale can cause reputational damage, merchant account problems, and compliance issues. When internal user accounts are hijacked, the potential consequences are even more destructive, including system breaches, data exfiltration, and ransomware installation.
In this series of articles, we’re discussing how to protect against account takeover attacks. Part 1 gave an overview of ATOs, including the types of attacks and the basics of ATO detection. In Part 2, we took an in-depth look at MFA (Multi-Factor Authentication), which secures accounts with extra protection such as one-time passcodes.
In this article, we continue our examination of ATO prevention, by discussing countermeasures for one of the most important ATO vectors.
Protecting Your Organization from Phishing
Phishing is a form of social engineering that deceives users into performing harmful actions. The attacker’s goals can vary, including tricking users into revealing sensitive information or even installing malware. In this article, we’ll focus on campaigns that are designed to result in ATOs.
Phishing is one of the most common, and most dangerous, cyberthreats today. SlashNext’s 2022 State of Phishing report found that there were over 255 million attempted phishing attacks within a six-month period. Anyone can be affected; research from the UK’s Office for National Statistics shows that adults aged 25 to 44 years receive the most phishing messages, with those between 35 and 44 the most likely to click on them.
Phishing can take many different forms. Some campaigns are targeted at specific individuals, while others use a “wide net” approach and send malicious correspondence to as many users as possible. According to Verizon’s 2022 Data Breach Investigations Report, 96% of phishing attacks begin with an email, but other channels including phone, SMS, and lookalike website domains are also used.
These attacks can be highly sophisticated, and sometimes can fool users that believe they follow good security practices. Phishing has been responsible for some of the biggest known cyberattacks that have led to ATOs, including the 2014 breach of Sony Pictures. (The criminals sent phishing emails purporting to be from Apple to top Sony executives, directing them to a bogus login site that captured their credentials.)
Four Layers of Defense Against Phishing
Anti-phishing measures can be divided into four categories:
- Filtering phishing messages so they do not reach their intended recipients
- Educating users so that they are not deceived by the messages that evade filtering
- Preventing users who were deceived from taking harmful actions
- Mitigating damage when the above three steps fail
For securing internal user accounts, these are all important; for external customers, the third and fourth categories are the most relevant. A robust security posture will include measures in all four categories.
Filtering phishing messages
In the last few years, communication service providers have improved their abilities to suppress malicious messages. Much of this has been driven by consumer outcry; for example, in many countries, telecom companies block or flag large percentages of automated calls or bulk texting campaigns.
For organizations, as noted earlier the largest problem is email. Here too the situation is improving. Many enterprise-grade email solutions, such as Gmail’s advanced automated scans, can identify suspicious content before it’s delivered to the user. The message can then be quarantined, moved to spam, or highlighted as untrustworthy in the user’s inbox.
If your organization is not currently taking advantage of these capabilities, it should be. Automated phishing detection and suppression is a low-risk and high-impact way to significantly improve your security posture.
Educating users about phishing
Automated filtering will block obvious phishing campaigns, but it will not always detect more sophisticated efforts. This is where user education is crucial.
Organizational employees, contractors, and other users should receive regular training on email hygiene, recognition of social engineering tactics, and related topics. Although some modern phishing attempts can be difficult to spot, there are usually some indicators that can reveal an email’s authenticity, or lack of it. Typos, vague instructions, and unrecognized “from” addresses are often signs that a message is not genuine.
As many executives can attest, developing an effective anti-phishing training program can be challenging, because people will respond differently, and will behave with varying levels of diligence. Organizations such as CISA (the U.S. Cybersecurity & Infrastructure Security Agency) provide training materials that can be helpful. Another good resource is phishing.org.
Preventing deceived users from taking action
Filtering will not necessarily block all phishing messages, and education will (unfortunately) not always succeed in preventing users from being deceived. Therefore, it’s important to try to prevent users from taking harmful actions.
For example, employees should be required to use password managers while performing work-related functions. When visiting a malicious site that is spoofing a legitimate one, the password manager’s autofill function will not be activated. Although this will not prevent the user from providing their login credentials manually, it should at least (with proper training) serve as an alert that something is wrong.
Overall, your organization should define clear internal policies that prevent information from being disclosed. For example, users should be forbidden from sharing credentials over email; instead, people must contact each other in person (for instance, via a phone or video call), to verify sensitive requests like payment approvals. This can help thwart phishing attacks such as CEO fraud (where the attacker requests sensitive credentials by impersonating senior members of an organization. This technique relies on the user feeling pressured to fulfill the request, even if they recognize it’s unusual).
A recommended action plan for the above
CISA suggests a four-step approach when implementing technological counter-phishing systems:
- Use your email provider and client applications to filter and scan incoming emails in real time. Set up authorized sender lists, rewrite hyperlinks into plain text (so users can easily see their destination), and ban the use of potentially problematic file extensions such as executables and compressed archives.
- Use outbound web protection systems to prevent user access to malicious sites. You can integrate these filters at the network level by using DNS rules. This lets you prevent connections to known malicious sites, domains with a low reputation score, or worrying characteristics such as similarity to a major property (e.g. micro-soft.com instead of microsoft.com).
- Harden user-facing client software by mandating the use of authorized browsers, email apps, and operating systems. This prevents hackers from leveraging known weaknesses in older platforms.
- Provide host-level protection for user devices. Install and update signature- and behavior-based malware detection solutions that are capable of detecting anomalous activity in real time. Ensure the security solutions built into your platforms, such as Windows Defender real-time protection, are activated at all times.
Mitigating the damage when phishing attacks are successful
The measures above will block most phishing attempts. But despite this, it’s still possible that a sophisticated and tightly focused attack will succeed.
Organizations should anticipate and prepare for this possibility. Ideally, the zero trust security model would be implemented across all systems. This is easier said than done, but should still be the goal.
It’s also important to follow and enforce the principle of least privilege, which will limit the amount of potential damage that a compromised account can do.
For customer accounts, ATO mitigation can be challenging, because it’s more difficult to recognize when an attack has been successful and a hacker has begun masquerading as a legitimate user. Here, it’s important to have a web security solution that includes UEBA (User and Entity Behavioral Analytics), which can recognize and flag anomalous behavior.
Summary
ATO attacks are on the rise, with 38% of U.S. consumers experiencing a takeover between 2019 and 2021, according to a report from anti-fraud provider GIACT. Cybercriminals find this kind of attack attractive because it’s relatively easy to achieve, can permit information exfiltration or disruption of a company’s activities, and can provide long-term access to privileged capabilities.
In the current threat environment, organizations need more than just a next-gen WAF (Web Application Firewall), DDoS protection, and hostile bot management; they also need specific multi-layer protection against ATO. So far, we’ve discussed MFA and anti-phishing defenses. In the next and final article in this series, we’ll discuss another vital, but often underappreciated, anti-ATO technology: rate limiting.
Share this post
