Preventing ATO (Account Takeover) Attacks, Part 1: Introduction

Account takeover (ATO) attacks occur when hackers attempt to obtain control of legitimate user accounts. After compromising accounts, hackers will exfiltrate information or use them to perform malicious actions.

ATO is one of the most serious cyberthreats faced by organizations today. According to Verizon’s 2022 Data Breach Investigations Report, the use of stolen credentials is the most common vector for system breaches. Indeed, ATOs have featured in several recent high-profile cyberattacks. The Colonial Pipeline hack in 2021 began when attackers compromised an old user account that admitted them to the company’s internal network. Cisco faced a similar incident in May 2022—attackers obtained access to a client’s VPN by compromising an employee’s personal Google account.

Threat actors have a variety of methods for waging account takeover attacks, and a robust security posture needs to include multiple types of ATO prevention. In this article, we’ll begin a short series about ATO and how to defend against them. Here, we’ll discuss:

• Types of ATO attacks
• Different approaches for detecting them
• The most important methods for defeating them

Then in subsequent articles, we’ll take a deeper dive into the specific methods and discuss some best practices.

Stages of ATO

An ATO attack can be divided into two stages:

• The takeover. Here, the attackers do not yet possess valid credentials for any user accounts. This could be because they have not yet obtained any credential sets from the system they’re targeting. Or, they might have credential sets (e.g., that were stolen during system breaches of other sites), but they have not yet confirmed which, if any, will work on the targeted system.
• The exploitation. Once valid credential sets have been obtained or confirmed, an attacker can pose as those users, logging in and performing a variety of malicious activities, and abusing whatever privileges that the users have on the targeted system.

In this article series, we’ll focus on the first stage, where attackers are not yet able to assume the user’s identity, and are attempting to obtain this ability.

Types of ATO Attacks

As noted above, hackers use a variety of methods when waging ATO attacks. There are several categories of ATO.

Brute Force

As the name implies, a brute force attack is straightforward and unsophisticated. It requires the attacker to send a high volume of traffic to the targeted system.

• Credential stuffing: There are several types of credential attacks, but stuffing is one of the most common. Here, the attacker has a list of credential sets obtained from other sites (whether stolen directly during breaches, or bought on the darkweb from other hackers). The hacker uses automated software to iterate through the list and “stuff” the credential sets into login forms on the target system, to see if any will work.
• Dictionary attacks: A dictionary attack is a cruder form of credential stuffing. Hackers leverage the unfortunate fact that many people still use weak passwords, by iterating through a ‘dictionary’ of commonly-used passwords to see which, if any, will work.

Social Engineering

• Phishing: This form of ATO is designed to trick users into unintentionally supplying their credentials to the attacker. This could be by clicking malicious links or responding to carefully crafted emails that appear to have a legitimate source, such as their bank or IT administrator.
• Spear phishing: This is a phishing attack aimed at specific users, and is highly customized to them individually. When executed well, these attacks can have a high rate of success.

System Exploitation

• Man-in-the-middle attacks: Attackers can infiltrate networks to intercept traffic between devices and servers. This can allow theft of API tokens, usernames, and passwords that aren’t sent over encrypted connections. On the public internet, MitM is less common than it used to be (thanks to the ubiquity of https), but it can still work in some circumstances.
• Session attacks: Strictly speaking, a session hijacking attack isn’t necessarily a form of ATO (since the attacker won’t always obtain the user’s credentials). However, it can have the same effect, since the attacker will be able to assume the user’s identity for the duration of the session.
• Data theft, viruses, and malware: Hackers can acquire credentials during data breaches, or by deploying specialist malware such as keyloggers to collect them from user machines.

A comprehensive security strategy for ATO prevention will incorporate multiple layers of protection to address all of these attack types. Also, these threats are not mutually exclusive. We often observe sophisticated, multi-stage ATO attacks, where hackers try different strategies and tactics within a single event.

Detecting ATO Attacks

Many organizations lack visibility into the ATO attempts that target their infrastructure. ATO protection  starts with knowing when they’re occurring. The most robust ATO prevention tools use automation to detect anomalous activity based on common indicators:

• Many failed login attempts for a single user often indicates a dictionary attack.
• High rates of failed login attempts across multiple users can indicate a credential stuffing attack is underway.
• Login attempts for multiple users from a single IP is also a red flag, especially when these are observed within a short period of time.
• Incongruous login attempts should raise alarms, e.g. when login attempts are received from European and African IP addresses for a user account registered in the United States.
• Suspicious client device identities: An influx of requests from devices that don’t present a known identity, or which use generic properties, is another indicator that the traffic is illegitimate.
• Suspicious client behavior: A legitimate user exhibits identifiable behavioral patterns. For example, logging into a web application will begin with a GET request, followed by a POST. An ATO attacker will try to work efficiently, and thus will often violate these behavioral patterns, e.g. by mass-submitting POST requests without any preceding GETs.
• High rates of submissions of login forms can indicate an in-progress ATO, even when other metrics don’t seem anomalous.

How to Prevent ATO Attacks

Although ATO is a complicated threat, it’s possible to defeat account takeover attacks with a robust security posture. The next several articles in this series will discuss methodologies and best practices to implement, to keep your users accounts secure. Stay tuned!

Share this post