Here’s a closer look at account takeover, including a detailed timeline analysis and what it reveals about the evolving tactics of hackers or cybercriminals, as well as best practices and solutions to help detect and block attacks.
Researchers from Barracuda and UC Berkeley, conducting a large-scale analysis of email account takeover and the timeline of attacks, recently highlighted the behaviors hackers are using to try to avoid detection, ways to identify suspicious activity that could indicate an email account has been compromised, and precautions you can take to protect your business.
Among the key findings:
- Attacks are spread out over a period of time; they don’t always happen as soon as the account is compromised
- Attackers are getting smarter about geography; they send phishing emails and perform other actions from IPs tied to similar regions and countries of the hacked account
- IP addresses and ISPs provide important clues; attackers tend to use anonymous IPs belonging to ISPs that are different from the hacked account’s provider
Email Account Takeover – Cybercriminals use brand impersonation, social engineering, and phishing to steal login credentials and access an email account.
Once the account is compromised, hackers monitor and track activity to learn how the company does business, the email signatures they use, and the way financial transactions are handled, so they can launch subsequent phishing attacks, including harvesting financial information and additional login credentials for other accounts.
Hackers execute account-takeover attacks using a variety of methods. In some cases, hackers leverage usernames and passwords acquired in previous data breaches.
Due to the fact that people often use the same password for different accounts, hackers are able to successfully reuse stolen credentials and gain access to additional accounts. Hackers also use stolen passwords for personal emails and user access to that account to try to get access to business email.
Brute-force attacks are also used to successfully take over accounts because people use very simple passwords that are easy to guess, and they don’t change them often enough. Attacks also come via web and business applications, including SMS.
To provide a detailed timeline analysis of an account-takeover attack, researchers used a combination of Barracudas’ artificial intelligence (AI) detectors to compile a list of users whose accounts were compromised in August 2019.
Researchers chose one compromised account, referred to as User X, and analyzed the Microsoft Azure login properties and email activity around the time of the first sign of potential compromise.
In addition to the data from Barracuda’s detectors, researchers had access to the raw emails, including the subject line, body content and originating IP address, as well as the Microsoft applications that had been used, including the IP address, time of login and operations performed.
This timeline looks at suspicious activity on User X’s account during the three weeks around the first flagged detection, evaluating three characteristics of each event: the date and UTC time, the state and country where the activity originated, based on the geolocation of the IP address, and the operation performed.