Account takeover attacks (ATOs) have quickly risen to the top of the list of critical cyber threats facing organizations today. Abnormal Security’s 2024 State of Cloud Account Takeover Attacks report reveals that over 60% of security leaders in the UK now rank ATOs in their top four concerns. This increased focus on account takeovers even outpaces the notorious threats of ransomware and spear phishing.
In an era where the sophistication and frequency of ATO attacks are increasing, it is imperative to understand the underlying factors driving this increase and the strategies organizations can implement to defend against them.
Abnormal Security CISO.
What trends and developments have you observed in ATO attacks over the past year, particularly in terms of their frequency and impact on organizations?
Account takeover attacks are rapidly increasing in both frequency and severity. Attackers are focusing more on account takeover attacks because gaining access to an account can immediately expose sensitive company or customer data, enable financial theft, and allow them to launch further attacks or move laterally within a network.
A study indicates a 427% increase in ATO attack attempts in 2023 alone, highlighting their increasing risk and potential to result in substantial financial losses for businesses. Given the destructive potential of ATO attacks, it is no surprise that most security leaders consider these attacks among their top cyber threats.
These concerns are often rooted in experience: in fact, 75% of UK organisations we surveyed reported having suffered at least one ATO attack in the past year, with over a third facing more than five incidents. Some unlucky companies suffered more than 10 attacks.
How have cybercriminals adapted their tactics for ATO attacks with the advent of new technologies such as generative AI, and what are the implications for organizations?
Credential phishing is a leading culprit behind account takeovers, and the proliferation of generative AI tools over the past year has only made this problem worse, ultimately making ATO attacks much easier to pull off. With the right cues, generative AI can craft phishing emails that are nearly indistinguishable from authentic content. Tools like ChatGPT can create convincing and realistic phishing campaigns in seconds, improving the effectiveness of social engineering tactics and increasing the likelihood that targets will reveal their credentials.
Sophisticated threat actors have even gone so far as to create their own generative AI platforms, such as WormGPT and FraudGPT. Many are also finding ways to “release” ChatGPT, bypassing its protections against generating malicious content through carefully crafted messages, known as “release messages.”
The DAN (Do Anything Now) message and the Translator Bot message are well-known examples. The DAN message manipulates ChatGPT into generating restricted content by acting as an unrestricted AI. The Translator Bot message bypasses filters by framing inappropriate content as a translation task.
AI-generated phishing attacks are so dangerous because they are extremely difficult to detect. Traditionally, one would look for strange language, spelling or grammatical errors, robotic tone, and other contextual indicators. However, with generative AI, attackers can create large volumes of convincing content that appears human-like.
As cybercriminals become more successful with credential phishing attacks, this may lead to more account takeover incidents, underscoring the importance of comprehensive email security.
What are the main concerns of security managers regarding account takeovers? Why are these attacks considered one of the main cybersecurity threats today?
The biggest concern about ATO attacks is their potential for extremely damaging consequences, including breaches of customer privacy, regulatory compliance, data security, brand reputation, and operational integrity. It is therefore not surprising that nearly all security players we surveyed agreed that preventing account breaches is a top priority.
ATO is particularly insidious because trusted contacts are placed directly in the line of fire. If cybercriminals can gain access to the account credentials of a trusted executive or supplier, they can not only expose sensitive information, but can also enable the attacker to conduct fraudulent financial transactions under the guise of their compromised victim. This means the scope of the damage is enormous.
These attacks are also alarming because they can occur through a variety of attack methods, not just via email credential phishing, but also via SMS and voice, as well as more sophisticated tactics such as session hijacking using stolen or forged authentication tokens. The stealthy nature of ATOs means they can remain undetected for months, increasing their potential damage.
MFA is a widely implemented security measure, so why are some skeptical of it when it comes to ATO attacks?
Multi-factor authentication (MFA) has become a standard security enhancement and is recommended by government regulations such as NIST. However, while MFA can reduce the risk of account breaches, it is not foolproof, so it has been subject to some level of skepticism. Our research showed that only 37% of security leaders are confident in MFA’s ability to protect against cybersecurity attacks.
One reason for this hesitation is the rise of MFA bypass tactics. Cybercriminal groups, such as Robin Banks and EvilProxy, now offer MFA bypass kits for sale, which allow attackers to hijack active authentication sessions using stolen MFA tokens. This makes it easier for even less experienced hackers to bypass MFA protections. High-profile incidents, such as the SolarWinds attack, have demonstrated MFA vulnerabilities.
Research has shown a significant increase in MFA bypass attacks. A study by Kroll Advisory found that 90% of successful business email compromise attacks occurred even with MFA in place. These findings highlight that while MFA is a crucial security measure, it alone cannot completely prevent account takeover attacks, so additional layers of security are needed.
What types of solutions can help defend against increasing ATO attacks, and in what areas should companies improve?
There are a number of strategies organizations are using to mitigate account compromise, including MFA and encouraging the use of strong passwords or implementing secure login (SSO).
But while these are important layers of defense that can reduce the risk of account compromise, they won't eliminate it entirely – today's sophisticated threat actors are smart enough to find ways to bypass these measures.
Security teams should combine these controls with additional tools, including technologies that can create complete visibility across the entire cloud ecosystem. Account takeover attacks often involve lateral movement between platforms, so teams need the ability to view, correlate, and analyze behavioral signals across these different applications and platforms. By analyzing these signals against baseline levels of user behavior to identify deviations, organizations can improve their ability to detect potential account breaches quickly and with confidence.
Automatic remediation is also critical, allowing teams to quickly remove attackers from compromised accounts (including by logging out of all open sessions, blocking access, or forcing a password reset) before significant damage is done.
This integrated approach, offering complete visibility across the entire cloud application ecosystem, with automatic remediation, is essential to improving ATO defenses.
Introducing the best online cybersecurity course.
This article was produced as part of TechRadarPro's Expert Insights channel, where we showcase the brightest and brightest minds in the tech industry today. The views expressed here are those of the author, and not necessarily those of TechRadarPro or Future plc. If you're interested in contributing, find out more here:
