The Account Takeover is a type of attack with which criminals manage to steal the victim’s identity by stealing their login credentials.
In emails, identity theft is used to send spam emails in the victim’s name, or to field more complex scams that aim to intercept and change the IBAN of an invoice in order to send a transfer to the scammer’s checking account.
How does it work
Although the name may seem modern, the Account Takeover attack has been around for several years. The attacker’s goal is to get hold of the virtual identity of one or more victims, to then exploit them himself or sell them to others. To do this, hackers aim to steal or guess the password to access their victims’ email accounts.
Password theft can happen in several ways but the most used are:
- infect the victim’s computer or smartphone with a Trojan
- guessing the password with brute force attacks launched by botnets
- be provided directly by the user with the credentials via Phishing
- use passwords already stolen in previous attacks, hoping that the user will also use the same password for different services
- study the “target” person of the attack on social networks or through other public sources
The first types of attacks aim at automatically recovering a large number of credentials and then reselling them on the dark web to other criminals or launching new attacks, for example by sending phishing emails to retrieve further new credentials.
Another type of attack is where the victim is studied. This is potentially the most dangerous because it aims to get hold of the credentials of users who have access to money management in their organization, with the aim of diverting wire transfers to the accounts of criminals. From here, the “fake CEO scam” develops.
How to defend yourself
Defending yourself against this type of scam requires you to consider two main aspects.
People who work or collaborate with the company must be trained in order to know the risks of these scams and recognize suspicious signs. For example, an email from the CEO asking you for an urgent bank transfer and inviting you not to disturb him for further clarification because he is playing Golf.
It must be explained to company employees that it is always good to be suspicious of strange requests that arrive via email, even if they seem to come from trusted people.
In addition, it is necessary to make users understand the importance of proper password management by avoiding passwords that are too simple or reuse them on multiple services.
The most appropriate security measures must be adopted in the company. The purpose is to protect email accounts and, in general, any access to administrative panels, through adequate security measures, such as for example two-factor authentication or restricted access only from trusted IP addresses.
Furthermore, workstations and smartphones must be protected by adequate anti-virus security systems and the company network must also be protected by a Next Generation Firewall, a firewall that is not limited only to opening and closing ports, but analyzes network traffic to intercept potential risks while browsing the web or reading emails.
The more measures and security levels are implemented, both procedural and technical, the more difficult this type of attack becomes.
However, it is also necessary that the external service providers to which the company relies are equipped with adequate security measures and protection against this type of scams. In fact, in some cases, the attack takes place totally outside the company perimeter and cannot be detected in any way by the company security systems except when it has already caused damage.
How the Qboxmail Account Takeover Protection works
Qboxmail’s cloud business email management service already includes an Account Takeover Protection system.
Protection consists of various levels of analysis and procedures. Access to email boxes is constantly monitored and if the systems detect anything abnormal, due to the time or origin, they can trigger an alarm. In addition, certain types of actions are also monitored, such as emails with suspicious material or abnormal sending volumes.
The user is also notified if a forwarding of his emails to an external address is set in his email box. This is another type of setting hackers make to silently spy on victim’s emails.
When a suspicious activity is identified, it is automatically notified to both the user and his manager and the anomalous activity is immediately inhibited.
Through the control panel of Qboxmail it is possible to analyze these suspicious activities through Etlive, our system of analysis of the email traffic logs in real-time, and it is possible to apply additional security measures such as two-factor authentication, blocking of reuse old passwords, or restrict access to email accounts only from trusted IP addresses or corporate VPNs.