Account takeover (ATO) attacks have swiftly ascended to the top of the list of critical cyber threats confronting organisations today. Abnormal Security’s 2024 State of Cloud Account Takeover Attacks report reveals that over 60% of security leaders in the UK now rank ATOs among their top four concerns. This heightened focus on account takeovers surpasses even the notorious threats of ransomware and spear phishing.
In an era where the sophistication and frequency of ATO attacks are escalating, it’s imperative to understand the underlying factors driving this surge and the strategies organizations can deploy to defend against them.
CISO of Abnormal Security.
What trends and developments have you observed in ATO attacks over the past year, particularly in terms of their frequency and impact on organizations?
Account takeover attacks are rapidly increasing in both regularity and severity. Attackers are concentrating more on account takeover attacks because gaining access to an account can immediately expose sensitive company or customer data, enable financial theft, and allow them to launch further attacks or move laterally within a network.
A study indicates a 427% increase in ATO attempts over 2023 alone, highlighting their growing risk and potential to create substantial financial losses for businesses. Given the destructive potential of ATOs, it’s no surprise that most security leaders consider these attacks among their top cyber threats.
These concerns are usually grounded by experience – in fact, 75% of UK organizations we surveyed reported experiencing at least one ATO attack in the past year, with over a third facing more than five incidents. Some unlucky businesses were hit more than 10 times.
How have cybercriminals adapted their tactics for ATO attacks with the advent of new technologies like generative AI, and what are the implications for organizations?
Credential phishing is one of the key culprits behind account takeovers, and the proliferation of generative AI tools over the last year has only made this problem worse, ultimately making ATO attacks a lot easier to carry out. With the right prompts, generative AI can write phishing emails that are almost indistinguishable from authentic content. Tools like ChatGPT can create convincing and realistic phishing campaigns in seconds, enhancing the effectiveness of social engineering tactics and increasing the likelihood that targets give up their credentials.
Sophisticated threat actors have even gone as far as creating their own generative AI platforms like WormGPT and FraudGPT. Many are also finding ways to “jailbreak” ChatGPT, bypassing its safeguards against malicious content generation using carefully crafted prompts, known as “jailbreak prompts.”
The DAN (Do Anything Now) prompt and the Translator Bot prompt are well-known examples. The DAN prompt manipulates ChatGPT into generating restricted content by roleplaying as an unrestricted AI. The Translator Bot prompt circumvents filters by framing inappropriate content as a translation task.
AI-generated phishing attacks are so dangerous because they’re extremely difficult to detect. Traditionally, you’d look for odd language, spelling or grammar mistakes, robotic tone, and other contextual indicators. However, with generative AI, attackers can create large volumes of convincing human-like content.
As cybercriminals see greater success with credential phishing attacks, this can lead to greater incidents of account takeover, which underscores the importance of comprehensive email security
What are the primary concerns of security leaders regarding account takeovers? Why are these attacks considered one of the top cybersecurity threats today?
The biggest worry about ATO attacks is their potential for extremely damaging consequences, including compromised customer privacy, compliance, data security, brand reputation, and operational integrity. So, it comes as no surprise that nearly all security stakeholders that we surveyed agreed that preventing account compromises is a top priority.
ATO is particularly insidious because trusted contacts are placed directly in the firing line. If cybercriminals can gain access to the account credentials of a trusted executive or vendor, not only can this expose sensitive information, it can also allow the attacker to make fraudulent financial transactions under the guise of their compromised victim. This means the scope for damage is huge.
These attacks are also alarming because they can occur through a variety of attack methods – not just through credential phishing via email but also SMS and voice phishing, as well as more sophisticated tactics like session hijacking via stolen or forged authentication tokens. The stealthy nature of ATOs means they can remain undetected for months, increasing their potential damage.
MFA is a widely implemented security measure, so why are some skeptical about it when it comes to ATO attacks?
Multi-factor authentication (MFA) has become a standard security enhancement and is recommended by government regulations like NIST. However, while MFA can reduce the risk of account compromise, it is not foolproof, so it has been subjected to some level of skepticism. Our research showed that only 37% of security leaders are confident in MFA’s ability to protect against ATOs.
One reason for this doubt is the rise of MFA bypass tactics. Cybercriminal groups, like Robin Banks and EvilProxy, now offer MFA bypass kits for sale, which allow attackers to hijack active authentication sessions using stolen MFA tokens. This makes it easier for even less experienced hackers to circumvent MFA protections. High-profile incidents, such as the SolarWinds attack, have demonstrated the vulnerabilities of MFA.
Research has shown a significant increase in MFA bypass attacks. A study by Kroll Advisory found that 90% of successful business email compromise attacks occurred even with MFA in place. These findings highlight that while MFA is a crucial security measure, it alone cannot fully prevent account takeover attacks, necessitating additional layers of security.
What type of solutions can help defend against increasing ATO attacks and what areas should businesses improve on?
There are a number of strategies that organizations are using to mitigate account compromise, including MFA and encouraging strong password use or implementing secure sign-on (SSO).
But while these are important layers of defense that can reduce the risk of account compromise, they won’t eliminate it entirely – today’s sophisticated threat actors are savvy enough to find ways around these measures.
Security teams should layer these controls with additional tools, including technologies that can create complete visibility across the cloud ecosystem. Account takeover attacks often involve lateral movement across platforms, so teams need the ability to see, correlate, and analyze behavioral signals across these different applications and platforms. By analyzing these signals against baseline levels of user behavior to identify deviations, organizations can improve their ability to detect potential account compromises rapidly and with confidence.
Auto-remediation is also critical, enabling teams to swiftly remove attackers from compromised accounts – including by signing out of all open sessions, blocking access, or forcing a password reset – before significant damage occurs.
This integrated approach, offering complete visibility across the cloud application ecosystem, with automatic remediation, is essential for enhancing ATO defenses.
We’ve featured the best online cybersecurity course.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro