A Corporate Account Takeover (CATO) is an employee’s worst nightmare, as compromised accounts could usher in data breaches–leading to fines, lost business, lost revenue, or possibly even the shuttering of company doors.
I discussed the concept of CATO as well as prevention tips with Amit Rahav, vice president of marketing and customer success for Secret Double Octopus, a passwordless authentication service company.
SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)
Corporate Account Takeover: Defined
Scott Matteson: What does the threat of a Corporate Account Takeover involve?
Amit Rahav: CATO is a form of identity theft for businesses. Assuming an identity in a corporate network means that the attacker can gain access to the victim’s privileges and use this breached identity freely.
When I look at successful cases of CATO the damage falls under a few categories:
- Reputation – Attacks that are aimed at a company or its leadership— Mark Zuckerberg Twitter and Pinterest accounts in 2016
- Financial – Mostly done by business email compromise (BEC)—assuming an identity to invoice clients or a colleague to try to steal corporate/client funds.
- Data – Assuming an account with privileged access or utilizing privilege escalation to steal data and sell it.
How account takeovers work
Scott Matteson: How does an account takeover work?
Amit Rahav: Account takeovers always start with acquiring, guessing, or phishing credentials. In most cases by one of the following:
- Password spraying – Corporate user names are not hard to guess, in most organizations they will be first_name.last_name@domainname.com. Hackers are aware of this and use commonly used passwords to breach the accounts (For example the Citrix breach).
- Spear phishing – This is mostly done by using fraudulent emails (to ask the user to update/reset credentials or log into their account. By doing this hackers gain access to the password and are able to access the account, as seen in this year’s Apple Phishing campaign
- Social engineering – A targeted attack that relies on publicly available information about the victim, attempting the password of the target.
- Credential stuffing – Ever wondered what hackers do with stolen credentials? Think of yourself — how many passwords you manage and how many unique passwords you use. We all reuse passwords. Hackers are aware of this fact as well and will try to gain access by using previously breached credentials on commonly used services (like Office365/Dropbox) This is an extremely effective method as we saw in the HSBC case.
They are many more forms of attacks which rely on compromised communication channels (Man in the middle) or malicious software (Keylogger, Mimikatz, RAM scrapers), which are all aimed at stealing passwords.
Scott Matteson: What industries are most impacted by account takeovers?
Amit Rahav: This is very hard to tell as I have not seen any official statistics regarding targeted verticals. However, hackers mostly aim higher–the bigger the better. We are all at risk.
Scott Matteson: How we can we reduce the threat?
Amit Rahav: Password policies and employee training are necessary, but marginally effective approaches. Second authentication is a step in the right direction, but it still leaves users vulnerable to many of these attack approaches—as long as users are in charge of setting and recalling passwords. Recently, authentication began moving to passwordless schemes that avoid relying on scam-prone humans who are susceptible to phishing, credential stuffing, and password spraying.
Besides that, companies should deploy endpoint detection and response (EDR) clients on each workstation and server to protect from malicious code, and look to combine workstation health and identity trust.
Scott Matteson: What are some examples of this?
Amit Rahav: HSBC and Citrix are only a few of the companies that were affected by Corporate Account Takeover. There are many more. However, what we must focus on are the vulnerabilities in popular systems like Microsoft accounts, Dropbox, and WinRAR — allowing hackers access to millions of business. As long as businesses rely on passwords as an authentication factor hackers will keep finding ways to phish them.
Scott Matteson: How might the bad guys evolve their tactics to overcome preventative measures?
Amit Rahav: On January of this year, hackers found a vulnerability that allowed them to bypass Microsoft multi-factor authentication (MFA) by utilizing an inherent security flaw in its IMAP protocol. Gmail soon followed when hackers found a way to get around its second factor as well.
The bad guys are always searching for new ways to bypass authentication factors, utilizing public information for spear phishing and malware designed to steal passwords. This cat and mouse game will continue to evolve from both sides.
Scott Matteson: Where is the field headed?
Amit Rahav: In the words of Bruce Schneier, the whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it’s easy to remember, it’s something nonrandom like ‘Susan.’ And if it’s random, like ‘r7U2*Qnp,’ then it’s not easy to remember.
The Cybersecurity industry is moving to a passwordless future, removing the problem from the root. Microsoft, Google and yours truly are some of the many companies developing new technologies to combat password authentication.
Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays
Image: Getty Images/iStockphoto
