Account takeover: How it happens and best way to protect your organisation


Account Takeover attacks involve attackers using stolen user credentials as a springboard for a variety of crimes. PHOTO | SHUTTERSTOCK

One of the most regular cyberattack complaints occasionally raised by individuals and organisations is a fraud scheme where attackers take control of a victim’s account and proceed to commit cybercrime in the victim’s name and identity.

Known as Account Takeover (ATO) attacks, this identity-based cyber fraud involves attackers using stolen user credentials as a springboard for a variety of crimes including redirecting shipments, money laundering, stealing reward points, reselling subscription information as well as hijacking sensitive platforms like a victims’ bank accounts.

Attackers start by changing the login credentials to lock out the original owner out of their own account. Organisational accounts are prime targets due to the massive influence and data storage capacity involved.

Steps preceding the takeover

Governance Risk and Compliance (GRC) analyst Terry Muthoni explains that a successful ATO attack always consists of three major steps, and that more often than not, an entire community is usually involved in the process.

Ms Muthoni says it all starts with the harvesting of credentials.

“Stealing and harvesting credentials is a labour-intensive and technically demanding process. Attackers employ phishing, malware, social engineering, and database vulnerabilities to obtain credentials. The stolen data is lucratively sold on the public or dark internet, often repeatedly, until its value diminishes over time,” states Ms Muthoni.

The second phase involves checking the stolen credentials, often using botnets, for efficiency and scalability. Bot services and tutorials are readily available, says Ms Muthoni, making it accessible even for non-experts.

In this phase, attackers enter the stolen credentials, configure proxies and define the target website. More advanced attackers may create their own botnets to bypass fraud detection.

“The verified credentials are then sold to a third party on the dark web, with values varying based on the potential return on investment. High-value targets include banking or e-commerce sites with lucrative customer reward programmes,” says Muthoni.

In the final stage, the attacker comes in to buy the verified credentials before proceeding to employ automation to fill the login forms en masse and launch ATO attacks in a way that evades anti-automation defences.

For very high-value targets, the attackers will often manually complete the forms themselves.

How to tell when attacked

Experts say that when monitoring behavioural analytics for signs of ATO, the most common indicators to look out for include unsuccessful logins, password change requests, shipping to a new address, new device logins as well as unusually large purchases.

Others are a change in account details, the addition of new unauthorised users, requests for a new card, spikes in login attempts and account locks.

“When an attacker successfully gains control of an account, they often try to alter the login credentials so that the original account owner can no longer access their account. In some cases, the attacker will make changes to multiple accounts simultaneously, ” says Nadeem Anjarwalla, crypto firm Binance director for East and West Africa.

Mr Anjarwalla notes that when similar changes are made across multiple accounts, it’s usually a clear indication that an account hacking has occurred.

“Watch out for unusual account activity, such as unauthorised purchases, changes to your account settings, or unexpected logins from unknown devices. Login attempts from unknown locations or IP addresses may also indicate that someone is trying to break into your account,” he says.

Safeguarding accounts

“The first and the most obvious measure is to put in place strong and unique passwords. Avoid easily guessed passwords and refrain from reusing passwords across multiple accounts,” advises the Head developer at GIT Software Solutions Gathirwa Irungu.

Account holders should be vigilant and exercise caution when handling suspicious emails, messages or calls asking for login credentials or personal data.

“Avoid clicking on suspicious links or downloading attachments from untrusted sources. Always verify the authenticity of requests before providing any sensitive information,” says Mr Irungu.

Other measures include regular monitoring and review of account activities including the transaction history and notifications for any signs of unauthorised access or suspicious behaviour.

Users should also activate the multi-factor authentication which requires users to provide an additional form of verification, such as a one-time passcode (OTP), in addition to their password.

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.