How to Detect, Prevent, & Mitigate an Account Takeover Attack (ATO)

As a business, you can easily defend against the most common type of scam, an Account Takeover Attack (ATO), with a few basics done right.

The afternoon of August 30, 2019, was bizarre for Jack Dorsey’s Twitter (now X) followers. “He” was on a reckless spree, lasting about 20 minutes, of tweeting racial slurs and other offensive messages.

His fans might have taken it as an unusual mental breakdown from the CEO of the biggest microblogging website. However, Chuckling Squad, the group behind this “adventure,” had left links to their discord channel in the misleading tweets from Jack’s account.

Later, Twitter (now X) confirmed the incident.

This was a classic Account Takeover (ATO) Attack, a Sim Swapping one in particular, in which the hackers remotely took control of Jack’s phone number and tweeted from a third-party tweeting service, Cloudhopper.

What are the odds favoring an average user if the CEO of a top-level tech company can be a victim?

So, join me to talk about the various forms of ATO and how to keep your organization safe.

What is an ATO Attack?

An account takeover (ATO) attack, as suggested by its name, employs various techniques (discussed later) to hijack a victim’s online account for numerous illicit purposes, such as financial scams, accessing sensitive information, defrauding others, and more.

How Does ATO Work?

The crux of an ATO attack is stealing account credentials. Bad actors do this by various means, such as:

1. Social Engineering: It’s to psychologically force or persuade a person into revealing their login details. This can be done on the pretext of tech support or fabricating an emergency-sort-of situation, giving little time to the victim to think rationally.
2. Credential Stuffing: A subset of brute force, credential stuffing means a scamster trying to make random login details work, often obtained from a data breach or purchased from the dark web.
3. Malware: Dangerous, unwanted programs can do many things to your computer. One such instance is to steal the logged-in accounts and send the details to the cybercriminal.
4. Phishing: The most common form of cyberattack, phishing, normally starts with a simple click. This seemingly harmless action takes the user to a counterfeit where the to-be victim enters login credentials, paving the way for an upcoming ATO attack.
5. MITM: Man-in-the-middle attack represents a situation where a skilled hacker “listens” to your incoming and outgoing network traffic. Everything, including the usernames and passwords you enter, is visible to a malicious third party.

These were the standard ways cyberthieves employ to criminally acquire login credentials. What follows is account takeover, unlawful activity, and an attempt to keep the access “live” as long as possible to further victimize the user or carry on attacks on others.

More often than not, the bad guys try to lock out the user indefinitely or set up backdoors for a future attack.

Though no one wants to go through this (neither did Jack!), it helps a ton if we can catch it up front to avoid damage.

Detecting an ATO attack

As a business owner, there are a few ways to spot an ATO attack on your users or employees.

#1. Unusual Login

These can be repeated login attempts from different IP addresses, especially from geographically distant locations. Similarly, there can be logins from multiple devices or browser agents.

In addition, login activity outside the normal active hours may reflect a possible ATO attack.

#2. 2FA Failures

Repeated two-factor authentication or multi-factor authentication failures also signal misconduct. Most of the time, it’s a bad actor trying to log in after getting hold of the leaked or stolen username and password.

#3. Abnormal Activity

Sometimes, it doesn’t take an expert to take note of an anomaly. Anything widely off the normal user behavior can be flagged for account takeover.

It can be as simple as an inappropriate profile picture or a series of spammy emails to your clients.

Ultimately, it’s not easy to detect such attacks manually, and tools like Sucuri or Acronis can help in automating the process.

Moving on, let’s check out how to avoid such attacks in the first place.

Preventing an ATO attack

In addition to subscribing to cybersecurity tools, there are a few best practices you can take note of.

#1. Strong Passwords

Nobody likes strong passwords, but they are an absolute necessity in the present threat landscape. Therefore, don’t let your users or employees get away with simple passwords, and set some minimum complexity requirements for account registration.

Especially for organizations, 1Password business is a strong choice for a password manager who can do the hard work for your team. Besides being a password keeper, top-notch tools also scan the dark web and alert you in case any credential is leaked. It helps you to send password reset requests to the affected users or employees.

#2. Multi-factor authentication (MFA)

For those who don’t know, Multi-factor authentication means the website will ask for an additional code (delivered to the user’s email or phone number) besides the username and password combination to get in.

This is generally a robust method to avoid unauthorized access. However, scammers can make quick work of MFA via social engineering or MITM attacks. So, while it’s an excellent first (or second) line of defense, there is more to this story.

#3. Implement CAPTCHA

Most ATO attacks start with bots trying random login credentials. Therefore, it’ll be a whole lot better to have a login challenge like CAPTCHA in place.

But if you think this is the ultimate weapon, think again because there are CAPTCHA-solving services out there that a bad actor can deploy. Still, CAPTCHAs are good to have and protect from ATOs in many cases.

#4. Session Management

Auto logout for inactive sessions can be a lifesaver for account takeovers in general since some users log in from multiple devices and move on to others without signing out from the previous ones.

In addition, allowing only one active session per user can also prove helpful.

Finally, it will be best if users can log out from active devices remotely and there are session management options in the UI itself.

#5. Monitoring Systems

Covering all the attack vectors as a start-up or mid-level organization isn’t that easy, especially if you don’t have a dedicated cyber safety department.

Here, you can rely on 3rd-party solutions like Cloudflare and Imperva, besides the already stated Acronis and Sucuri. These cybersecurity companies are some of the best to deal with such issues and can efficiently prevent or mitigate ATO attacks.

#6. Geofencing

Geofencing is applying location-based access policies for your web project. For instance, a 100% US-based business has little to no reason for allowing Chinese users. While this isn’t a foolproof solution for preventing ATO attacks, it adds to the overall security.

Taking this a few notches up, an online business can be configured to allow only certain IP addresses allotted to its employees.

In other words, you can use a business VPN to put an end to account takeover attacks. Besides, a VPN will also encrypt the incoming and outgoing traffic, shielding your business resources from man-in-the-middle attacks.

#7. Updates

As an internet-based business, you probably deal with a lot of software applications, such as operating systems, browsers, plugins, etc. All these get outdated and need to be updated for the best possible security. Though this isn’t directly related to ATO attacks, an obsolete piece of code can be an easy gateway for a cybercriminal to wreak havoc on your business.

Bottom line: push regular security updates to business devices. For users, trying to educate them to keep the applications to their latest versions can be a good step forward.

After all this and more, there is no security expert who can guarantee 100% safety. Consequently, you should have a vigorous remedial plan in place for the fateful day.

Fighting ATO attack

The best thing is to have a cybersecurity expert onboard, as each case is unique. Still, here are some steps to guide you in a common post-ATO attack scenario.

Contain

After you detect an ATO attack on some accounts, the first thing to do is temporarily disable the affected profiles. Next, sending a password and MFA reset request to all the accounts can be helpful in limiting the damage.

Inform

Communicate with the targeted users about the event and the malicious account activity. Next, inform them about the momentary ban and account restoration steps for safe access.

Investigate

This process can be best accomplished by a seasoned expert or a team of cybersecurity professionals. The objective can be to identify the affected accounts and ensure the attacker isn’t still in action with the help of AI-powered mechanisms, such as behavior analysis.

In addition, the extent of the data breach, if there is one, should be known.

Recover

A full-system malware scan should be the first step in a detailed recovery plan because, more often than not, criminals plant rootkits to infect the system or to maintain access for future attacks.

At this stage, one can push for biometric authentication, if available, or MFA, if not employed already.

Report

Based on the local laws, you might need to report it to government authorities. This will help you stay compliant and pursue a lawsuit against the attackers if needed.

Plan

By now, you know about some loopholes that existed without your knowledge. It’s time to address them in the future security package.

In addition, take this opportunity to educate the users about this incident and request to practice healthy internet hygiene to avoid future issues.

Into the Future

Cybersecurity is an evolving domain. Things considered safe a decade ago might be an open invitation to scammers at present. Therefore, staying abreast of the developments and upgrading your business security protocols periodically is the best way forward.

If you’re interested, Geekflare’s security section is a bookmark-worthy library of articles aimed at start-ups and SMBs that we write and update regularly. Keep checking out these, and I’m sure you can check the “staying abreast” part of the security planning.

Stay safe, and don’t let them take over those accounts.