Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Nine Myths of Account Takeover

Home
Industry Insights
Nine Myths of Account Takeover

Blog Article Published: 01/25/2018

By Dylan Press, Director of Marketing, Avanan

Account takeover attacks are a nearly invisible tactic for conducting cyber espionage. Because these breaches can take months or years to detect, we are slowly discovering that this attack vector is much more common than we thought. The more we learn about new methodologies, the more we realize just how misunderstood account takeover attacks can be. Many of the common myths about account takeover attacks are making it easier for the attackers to continue undetected, which is why we feel obligated to debunk them.

What Is an Account Takeover Attack?

Account takeover is a strategy used by attackers to silently embed themselves within an organization to slowly gain additional access or infiltrate new organizations. While ransomware and other destructive attacks immediately make the headlines, a compromised account may remain undiscovered for months, years or not at all. (See the Verizon 2017 Data Breach Report graph.)

On average we find at least one compromised account in half of our new installs, oftentimes finding that they have been there for months. We hope this blog can provide a better understanding of how they work and how to defend against them.

Scan your own account for an historical breach.

Myth 1: I’ve installed the latest antivirus software. I’m safe.

Reality: Account takeover attacks seldom use malware or malicious links.

You may have the latest patches. You might have the latest URL filters. You might have installed an MTA mail gateway to scan every message. None of these, however, would have detected the most common attacks of 2017. Few, if any, used an attachment or malicious link. Instead they relied upon convincing a user to authorize an app or share credentials via an otherwise legitimate site. Account takeover attacks do not want to infect a desktop or steal a bank account's routing number. They seek only to gain access to a legitimate user’s account for as long as possible. Step one in their methodology is to avoid detection by the most common tools.

Myth 2: We’ve all had security training. Attacks are obvious.

Reality: User training is not enough to defend against targeted attacks.

Everyone would like to believe that they are smart enough to notice an attack before they are compromised, but even the most vigilant user would miss the more recent strategies. A CISO once called user training an “attack signature that gets updated once a year.” While you may be able to identify the traits of an older method, new, more sophisticated techniques are developed every day. It is no longer enough to look for misspelled words or bad grammar. They are now highly personalized, well timed and sent in moderation. It is easy to forget that attackers read the same best practice documents you read, and use them as their checklist of things to evade.

Myth 3: An account takeover always starts with an email.

Reality: Attackers are starting to use other collaboration tools.

As organizations are moving away from email to Slack, Teams, and Chatter for internal collaboration, so are the attackers. Your employees are naturally wary of messages that come by email, but they seldom transfer that suspicion to internal messaging tools. While only 12 percent of employees might be likely to click on a malicious email, more than half would click on the same message when it arrives via internal Slack chat from a ‘trusted’ user. While there are dozens of tools to monitor and protect user email, these internal tools typically have no phishing or malware protection at all.

Scan your own account for an historical phishing attack.

Myth 4: Account takeover always starts with a phishing message.

Reality: Hackers can get your credentials without a phishing attack.

Although phishing messages are the most common way for hackers to gain access to an account, they are far from the only method. Large, third-party data leaks like Yahoo and LinkedIn have created a market for hackers to exchange stolen passwords. Even Post-It Notes are not safe from online distribution. A breach might include passwords for one service that employees have re-used on corporate accounts. Even a breach that doesn’t include raw credentials might include the personal information (street address, high school, mother’s maiden name) that make it possible for attackers to gain temporary access by requesting a password change. The Equifax breach probably contains more personal information than the average person even knows about themself. Although anti-phishing security is important, it is only one part of the equation when it comes to defending against account takeover.

Myth 5: I would notice right away if my account was compromised.

Reality: Account takeovers are specifically designed to evade detection.

Although it may seem like you would have to be blind to not notice a second user in your email inbox, hackers have become incredibly adept at navigating and using compromised accounts without detection. Tactics like the alternate inbox method, in which the attacker uses hidden and unchecked trash folders as their inbox, can make even the most active attacker invisible to the account’s rightful owner. When your account is compromised, you will likely never notice anything out of the ordinary.

Myth 6: The hacker will log in from a suspicious location.

Reality: Hackers can appear to log in from anywhere.

If a hacker is regularly logging into your account, wouldn’t their location raise a flag? It is reasonable to assume that to detect a compromised account, you just need to keep an eye out for suspicious locations in your account history. Unfortunately, publicly available VPNS are an easy way to avoid this obvious giveaway. A competent hacker based in North Korea can appear to be from an IP address in your own town, looking as benign as a login from your local CoffeeCafe. If they’ve already compromised another victim, they could even stage their attack from a partner’s network.

Myth 7: Changing my password will get rid of them.

Reality: Hackers can continue to access your account without a password.

Many cyber-security best-practices guides will advise you to change your password if your account is compromised. The first step in most attacks, however, includes creating a secondary back door so they can avoid using the primary login. For example, they may install malicious cloud applications that provide full rights to the account. These API-based connections use their own, permanent tokens that must be individually revoked and often never get logged. Or they may create rules to forward and redirect messages through the account without the need to log in again. Even if you change your password or turn on multi-factor authentication within seconds of a breach, they may no longer have need of your password.

Scan your own account for an historical breach.

Myth 8: I’m not “important” enough to be valuable to an attacker.

Reality: Every employee’s account is useful to a hacker.

It can be comforting to think that cyber security is only a concern for executives or employees with high levels of access to sensitive company data. Typically, however, the initial account takeover breach is imprecise and opportunistic. The initial goal of the hacker is to simply get access to any internal account. Once they have access, they take advantage of internal trust relationships to move from employee to employee until they find the sensitive data they need. A user doesn’t need to be high up or have a high level of access to serve as a hub for a hacker to base their operations. In fact, lower level employees are often under less scrutiny and can serve as a better vessel to use and remain undetected.

Myth 9: Our company is not worth targeting.

Reality: Your company can be used to attack your customers and partners.

If your company has customers, their employees will likely trust yours. If your company has providers, it could serve as the attacker’s way in. Although the hacks of major financial institutions and Fortune 500 companies make the headlines, hundreds of small ‘invisible’ companies in niche industries are attacked every day. Because smaller companies typically do not have the security staff of the larger firms, they can be an easy path into a much more lucrative target.

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.