What is Account Takeover (ATO)?

Account Takeover (ATO) is a form of identity theft and fraud, whereby cybercriminals take ownership of online accounts using stolen passwords and usernames.
When referring to email and communication, Account Takeover is about cybercriminals sending emails from a legitimate business account.

How does this happen?

Cybercriminals steal credentials, meaning sets of login usernames and passwords, in order to take ownership of a user account.
How do they get credentials? Impostors will purchase lists of stolen credentials using black market sites or by getting Data Breached leaked usernames and passwords or again by extracting login data themselves with targeted Phishing Campaigns.
The attack happens manually by individuals or group, or at scale using bots.
Originally botnets were used to deliver massive volumes of spam which was the most prominent spam and malware-delivery method and was responsible for 90% of the malware spread by email worldwide; in the last decade all the biggest spam sending botnets have been took down, with Necrus botnet being the last one to be defeated back in 2020 by Microsoft.
Botnets evolved since then and are now mostly used to dispach credentials in order to gain control of legitimate accounts, with a massive raise of Account Takeover (ATO) attacks. Statistics show that ATO cases have skyrocketed by almost 300%  since 2019!

Why do cybercriminals focus on Account Takeover (ATO)?

Because it has the potential to be immensely profitable, compared to other attacks!
Financial frauds, Internal phishing, Supply-chain phishing, BEC-type (Whaling) attacks are all possible once they have control over an account!
By sending an email from a legitimate email account impostors know that traditional anti-phishing software aren’t likely to flag their activity as suspicious, and at the same time the recipients are more likely to trust the sender and to do what they ask.
Once cybercriminals have gained access, they can also change anything related to the use of the account itself, such as security questions, passwords, encryption settings, usernames, etc. effectively making it impossible to access one’s account! This complete lockout can even make the actual user look suspicious when attempting to resolve the problem since they would no longer know the updated information associated with the account.

What types of organizations are targets of Account Takeover (ATO) attacks?

Fraudulent account access to customer accounts has always been a concern for financial institutions, but today Account takeover attacks can affect any organization with a customer-facing login. As said the most common threat actor motivation is financial, but also collecting personally identifying information (PII) is a strong driver as these could be used in phishing and spam campaigns to make the fraudulent communications more believable, and help criminals target their victims. These types of attacks often target healthcare, the public sector, and academic institutions.

Account Takeover (ATO) Protection and Prevention

The speed and evolution of today’s attacks present significant challenges for businesses. Unfortunately, some of the most commonly used techniques aren’t enough to stop ATO.
The following good practices should always be adopted:

  • Strong Password Policy
    Many accounts are so easy to crack because of their old, weak, or repeated passwords. Use a password manager with strong passwords!
  • Check for compromised credentials
    Regularly compare new user credentials with a breached credentials databases.
  • Set rate limits on login attempts
    Set rate limits on login attempt based on username, device, and IP address to effectively prevent account takeover.
  • Use MFA Authentication
    Set a Multi Factor Authentication method such as OTP or a dongle/token
  • Send users notifications of account changes
    Send your users a notification of the change they made, so they can quickly notice when their account is compromised.

How Libraesva ESG can help

The Libraesva ESG email security suite provides real-time monitoring and intelligence to mitigate human and automated fraud before it impacts the business—without disrupting the customer experience. With dedicated functionalities based on our proprietary Adaptive Trust Engine AI based technology, Libraesva ESG is uniquely positioned to stop ATO with defense that adapts to changes in attack patterns and retooling, as it looks at communication history and patterns transponding the human relationship value into their digital communication.
This approach is not only effective to prevent first time senders to deliver malware inside your organization, but also applies on outgoing traffic preventing impostors to send out spam from a compromised mailbox. Humans rely on trust in their relationships, the Libraesva Adaptive Trust Engine transponded this natural human being behaviour into digital communications.

Paolo Frizzi

CEO @ Libraesva