Understanding Account Takeovers

Through a marketplace on the dark web, a threat actor is able to purchase leaked credentials for the email account of an executive at an organization. The credentials are valid, and after gaining access, the threat actor, who is posing as the owner of the account, sends out emails to various business partners asking for funds, combs through old emails for attachments that contain valuable data, and then uses their access to gain a foothold in the larger network and launch a more sophisticated attack on the organization. 

This is an account takeover (ATO) attack in action. Account takeover attacks are widely used by threat actors and can lead to serious consequences for victim organizations and individuals. 

What is Account Takeover?

Account takeover (ATO), also referred to as account takeover fraud, occurs when a threat actor or threat group is able to take control of an online account after obtaining necessary credentials and access.  

Once access is obtained, threat actors can then use the newfound control to conduct phishing attacks, steal valuable data, gain access to other parts of a network, or launch a subsequent malware or ransomware attack. While ATO attacks have traditionally been limited to email, the rise of software-as-a-service (SaaS) applications, cloud infrastructure, and remote connectivity tools have greatly expanded the identity attack surface, giving rise to a growing number and types of accounts a threat actor can potentially access. 

ATO accounts have long been a tool in threat actors’ arsenals, but the frequency has been ticking upwards in recent years. According to an annual survey by Security.org, 29% of individuals experienced ATO in 2024, up from 2% in 2021.  

How an Account Takeover Attack Works

The crux of any ATO attack is the obtainment of credentials by threat actors, and unfortunately, credential theft is rampant. According to the 2024 Verizon Data Breach Investigations Report, stolen credentials were named a top attack action that year, seen in 24% of incidents. While credential theft is commonplace and often occurs during cyber attacks where credentials are exfiltrated and then leaked or sold on the dark web, it’s not the only way threat actors can obtain credentials 

Threat actors can gain access to accounts through: 

• The exploitation of a vulnerability tied to online applications or identity infrastructure 
• The breach of a third-party credential application, such as LastPass 
• A credential stuffing attack 
• A brute-force attack 
• A man-in-the-middle attack, where threat actors intercept credentials as they’re put into an application 
• A keylogging attack, where malware records keystrokes made on an endpoint, letting threat actors record credential entries 
• Other malware attacks, such as a Trojan attack or the use of an infostealer 

Learn more about credential theft and its potential impact on an organization’s cyber risk.  

Once credentials are obtained – or a threat actor gains access to an account through more technical means such as a vulnerability in the application itself – the threat actor can then take control of the account and complete subsequent actions or launch further attacks. 

ATO attacks can vary in scale, with myriad consequences. Here, we’ll look at two different examples to highlight how the attack works. 

E-Commerce ATO

A threat actor gains the usernames and passwords for customers of an e-commerce site during a cyber attack on the e-commerce organization. The threat actor, through brute-force, repeatedly attempts to log in to the consumer side of the e-commerce website, finding success with a set of credentials. Now, with control of the account, the threat actor can see (and steal) the credit card on file or make fraudulent purchases on that account. This can be a “rinse and repeat” activity for the threat actor if multiple sets of credentials are valid, allowing them to gain access to a high volume of credit card and user data all attached to a singular e-commerce platform. 

Financial services ATO

Financial services organizations are at high risk of ATO attacks due to the large volume of financial and other personally identifiable information (PII) they often contain. In this scenario, a threat actor, through one of the means discussed above, gains credentials into the email account of the CFO of the organization. The threat actor is able to go through the emails and download email attachments that could contain banking information for clients (such as accounting and routing numbers), valuable financial data of the organization itself which can be held for ransom, or even the credentials for financial applications – such as bank accounts – the organization utilizes. With just one set of credentials, the threat actor has metaphorically opened a number of vaults. 

Account Takeover and BEC Attacks

ATO attacks and business email compromise (BEC) attacks are intrinsically linked. ATO attacks are often a precursor to BEC attacks, which are a frequent and costly cyber attack. For a BEC attack to succeed, a threat actor must first gain account access or complete an ATO attack. BEC attacks can also be referred to as email account takeovers (EATs), which is a form of an ATO attack. 

Initially, BEC referred exclusively to ATO incidents in which a threat actor gained access to a legitimate email account within an organization and, masquerading as the account holder, convinced one or more people within that organization to perform some action benefitting the attacker — usually transferring funds to an account controlled by the threat actor. However, BEC attacks have expanded in scope with ATO now often serving as a precursor, or initial action in a BEC attack, when the two are found together.  

BEC attacks continue to rise at alarming rates and comprise roughly 30% of the total cases investigated by Arctic Wolf® Incident Response over the past few years. Additionally, 70% of organizations were the targets of attempted BEC attacks within the last year, according to The State of Cybersecurity: 2024 Trends Report.  

Potential Outcomes of ATO Fraud

Once an account has been taken over by a threat actor, the consequences can vary from financial fraud to data exfiltration to the launch of a crippling ransomware attack. With an ATO attack, the threat actor is now in control and could potentially make lateral movement, escalate privileges, or gain access to and drain financial accounts, among other actions. 

Consequences of ATO fraud include: 

1. The launch of a BEC attack
2. Exfiltration of data attached to, or that can be accessed from, the compromised account
3. Lateral movement within the application or network, as well as privilege escalation within the network
4. Subsequent internal phishing attacks, as well as supply-chain phishing to partners, associates, and customers
5. Financial fraud or theft
6. Reputation damage with clients, partners, and customers
7. Potential downtime for remediation of the ATO attack or any subsequent attack that originated with ATO
8. Potential fines and consequences for compliance violations

Protection against ATO Attacks

Like many of the tactics employed by threat actors today, there is not one single defense that will stop an ATO attack from reaching your organization. Instead, it’s best to guard the fortress at multiple points, deploying varying strategies that both lower the risk of an attack beginning while potentially stopping its ability to escalate.  

Defenses against account takeover include: 

• Deployment of email security measures, including the use of technology that can remove malicious emails from inboxes, flag suspicious emails and potential impersonations, and block potentially malicious links. This will help prevent an ATO attack from escalating if the email account is compromised. 

• Utilizations of identity and access management (IAM) best practices alongside a zero trust strategy to control and verify user access. This will reduce the success rate of ATO attacks

• Employment of multi-factor authentication (MFA) across all applications. A critical piece of the IAM puzzle, MFA not only prevents threat actors from gaining access to accounts, but the automatic need for verification can also alert users and security teams to suspicious account activity

•  Implementation of security awareness training that offers engaging content around ATO attacks and subsequent BEC attacks. This can reduce overall human risk while helping users spot suspicious activity that may point to an ATO attack

• Comprehensive 24×7 monitoring that ingests telemetry from multiple sources, including identity, cloud, endpoints, and applications. An ATO attack doesn’t always start and end with an email account, so having broad visibility that allows your security teams to both monitor and act on multiple parts of the attack surface can help your organization respond quickly and swiftly to an ATO attack before it escalates.  

Arctic Wolf understands both the threats organizations face and the technology, people, and processes needed to stop tried-and-true attacks like ATO. Not only does Arctic Wolf have multiple solutions that help organizations prevent and respond to threats across their attack surface, but the Arctic Wolf Aurora Platform™ is built on open-XDR technology, allowing Arctic Wolf to work with the security your organization already has in place while adapting to your existing tech stack.  

Arctic Wolf partners with Mimecast to help organizations better secure their email, reducing the risk of ATO and BEC attacks. This is in addition to Arctic Wolf’s partnership with Okta, a technology that enables organizations to better control access and reduce identity risks.  

Learn more about the current cybersecurity and threat landscape with the Arctic Wolf 2024 Security Operations Report.  

Explore how strong security awareness training can reduce the risk of ATO attacks within your organization.