Whether it’s from social engineering, phishing or other cyber-attacks, an account is compromised when a threat actor gains access to credentials and/or other means to perform actions on behalf of the targeted user. Stealing user credentials leaves corporate accounts vulnerable to numerous additional attacks such as ransomware, rootkits, keyloggers, data eavesdropping and theft, privilege escalation, and any other malicious activity leveraging the user’s compromised account.
Why and How It Happens
Every attacker has their own intentions and reasons for launching threats against a target, but generally the goal after compromising an account is to go into the second phase. The second phase is to steal data, destroy data, or install malware on the network. The second phase may require privilege escalation, but this step depends on the environment and authorisation to the compromised user account.
Phishing is a primary tool used by attackers to steal data. Hacking is a business, and a successful phishing campaign can bank an attacker millions of dollars in revenue. Exfiltrating data isn’t the only way for an attacker to earn revenue. Compromising accounts and installing ransomware are also common. Using ransomware, an attacker can blackmail a targeted organisation into sending money in exchange for their files. Ransomware encrypts data with a cryptographically secure cipher, so an organisation with poor backups has no choice but to pay the ransom. If an organisation refuses to pay the ransom, an attacker might threaten to expose their data to the public.
How account compromise happens depends on the attacker’s strategy. The biggest threat to organisations is phishing email messages. When a message reaches a user’s inbox, employees must recognise that it’s a phishing email, leaving cybersecurity to human instinct. Human error and insider threats are two of the biggest threats to any organisation’s security. Phishing attacks effectively carry out strategies that trick users into divulging their credentials and other sensitive information.
An attacker has two main phishing strategies to mislead users into divulging their credentials. The first one is to send a link to a malicious website to a targeted recipient. The website looks similar to an official corporate site, and the user enters their credentials thinking that they must authenticate into the application. Phishing exercises often use this strategy to find users who need more cybersecurity training.
The other phishing strategy tricks users into running malicious scripts or executables on their machines. Threat actors commonly use Microsoft Office macros to carry out this attack. After a user opens a malicious document, the macro then downloads malware. The malware might be a keylogger to capture credentials on the machine, or the malware could install a rootkit giving an attacker remote access to the user’s local machine.
Social engineering is also a common strategy for attackers to access account credentials. An attacker might pretend to be a part of the operations team and trick a user into divulging information. It’s also important for users to recognise social engineering by questioning anyone asking for sensitive data and never divulging their credentials to anyone asking.
Social engineering and phishing are the two main ways an attacker can compromise an account’s credentials, but it’s important to remember that the cybersecurity landscape is constantly evolving and changing. Logs containing plaintext passwords, compromised databases with stored passwords, and authentication over cleartext channels are other ways that attackers can steal sensitive information and user credentials.
Types of Accounts That Can Be Compromised
Business network accounts aren’t the only types targeted in an ongoing threat. Other accounts can inadvertently give an attacker access to credentials or enough sensitive data to provide the attacker with monetary value. Any third-party business account (e.g., social media) should also be monitored and protected against threats.
The first common target is email accounts. Business email accounts are perfect for a compromise because they can reset passwords across different business applications. Email account compromise can be the start of privilege escalation. An attacker can use the account to send requests for additional privileges or trick other high-privileged users into divulging their accounts.
For individual accounts, the attacker can email friends from the compromised account to trick them into divulging their credentials or collect them from a malicious website. Individual account compromise is often used to reset passwords on highly sensitive financial applications and accounts.
Social media accounts are also targets. These accounts often contain sensitive information about the targeted user. For example, Facebook accounts contain information about the user’s birthday, place of work, friends, pet names, children and relative names, and other personal data that could be used in a brute-force dictionary attack. Users often use private details to create passwords, so collecting as much data from them as possible can lead to a compromised business account.
The third type of account commonly targeted is financial ones. Financial accounts include credit card accounts, bank accounts, trading accounts, or other accounts that store money. These accounts could be sold on darknet markets or used to transfer money to an attacker. Banking institutions have several fraud detection systems in place to fight compromised accounts, but users and businesses should still be vigilant about protecting their data from credential theft.
Indicators of a Compromised Account
An attacker will try their best to avoid detection, so users and monitoring systems must watch for specific signs of a compromise. In business monitoring systems, artificial intelligence is used to detect a compromised account more accurately. Monitoring systems continually collect data, and artificial intelligence determines when an account is compromised based on several observable factors.
A few indicators of a compromised account include:
- Unusual outbound traffic: Attackers will send data slowly to an outside network as they collect data. The data transferred will show unusually high outbound traffic, especially during off-peak hours.
- Irregular high-privilege user activity on sensitive data: High-privilege users will commonly access sensitive data, but usually in a pattern. For example, an HR person will commonly access employee data every Friday. In a compromise, an attacker might exfiltrate employee data quickly and during off-peak hours.
- Network requests from strange country geolocations: If all your employees are located within the US, then VPN or network access from offshore IP addresses could indicate an account compromise.
- Elevated failed authentication requests: In a brute-force attack, high numbers of failed authentication attempts would be detected. Account lockout processes will stop these authentication attempts, but an attacker will continue with other user accounts until they successfully find a credential match with a compromised account.
- Increase in database reads: An attacker attempting to breach a database will probe tables and send queries to find vulnerable data.
- Unusually high access attempts on important files: In corporate espionage, access to files that contain trade secrets and intellectual property is highly valuable to an attacker.
- Suspicious configuration changes: An attacker can provide a backdoor for persistent access and threats by changing system configurations.
- Flooded device traffic to a specific address: Hacked user devices could become a part of a botnet used in a distributed denial-of-service (DDoS) against a specific target.
Results of a Compromised Business Account
Although some attackers focus on individual accounts, Business Email Compromise (BEC) is more common due to the highly sensitive information available on a business network. High-privileged users are often primary targets, especially in spear-phishing attacks. With access to a CEO email account or the VP of HR, an attacker can access almost any data on the network.
Impersonation is the most significant representative of high-privilege BEC attacks. For example, with a CEO email account, an attacker can send an employee a message to transfer money to an attacker-controlled account. The attacker uses urgency and the CEO position of command to convince unsuspecting employees to do what the attacker wants them to do. This is also known as CEO fraud.
Invoice scams are also common after a successful account compromise of a high-privileged account. An attacker might pretend to be a corporate accountant and convince a financial employee to pay a fraudulent invoice. Invoice scams often use a combination of social engineering and compromised email accounts to trick targeted users.
Instead of focusing on tricking key employees, an attacker may focus on exfiltrating data using the compromised account. Data can be exfiltrated to an external server with a high-privilege user account. The attacker might leave backdoors for standard user accounts or attempt privilege escalation to access more critical data.
How Accounts are Compromised
Phishing is the primary attack vector in credential theft and account compromises. Businesses that do not have any email security and protection solutions in place are at high risk of this type of attack. Attackers spoof email headers or register domain names with one-letter misspellings to trick users into thinking an email is from an official sender. Users who overlook the subtle red flags associated with phishing are vulnerable to phishing and credential theft.
It’s not uncommon for people to use the same password across multiple websites, including business websites. Not every site owner uses cryptographically secure ways to store credentials. Attackers who gain access to passwords in one compromised database will use the stolen credentials to discover other accounts using the same credentials. Employees may use the same credentials across their own business and private accounts, making them vulnerable to a compromise.
Installed malware can silently eavesdrop on user activity and account credentials. Using keyloggers, remote access malware (rootkits), and other eavesdropping tools, an attacker can silently collect user credentials and send them over the internet to an external server. Malicious files attached to email accounts will download malware and automatically install it on the network so that attackers can collect credentials.
Finally, if an attacker gains access to the internal network from poor firewall configurations or a compromised system, the attacker can then traverse the network and find vulnerable data. After a compromise, any data within the attacker’s reach is vulnerable to theft and disclosure to a third party.
Compromised Account Recovery
If you think your account has been compromised, you can take several steps to eliminate the threat and recover your account to its original state. Forensics into a data breach is a specific skill set that should be done by a professional, but the first step after a compromise is to contain and eradicate the threat. Regaining access to the account and changing its password is the first step in eradication, and the compromise should then be reported to the proper authorities.
A few steps to recover your account:
- Authenticate into your account and change its password. For some systems, such as email, the email application will allow you to kick out any additional sessions so that you are the only one authenticated into the account.
- Read the email, including the trash, to identify if any other passwords have been reset using your email account. Log into these accounts and reset their passwords as well.
- Reset passwords on critical accounts such as your bank account, additional business resources such as essential applications and databases, and social media accounts.
- Configure multi-factor authentication (MFA) to stop additional compromises. MFA requires an additional PIN before anyone can access your account, which prevents a third party from accessing your account after credential disclosure.
- Change security questions to obscure answers that do not match your current private details, such as pets, family, and important dates.
- Change your password every thirty days to avoid future compromises. Old passwords active for years provide attackers with a longer window of opportunity.
- Do not use passwords across multiple systems to avoid being a victim of an account compromise on several of your accounts after one application suffers from a data breach.
- Scan your system for any malware or viruses to find any malicious applications that could be sending private details to an attacker.
How Proofpoint Can Help
Proofpoint can help monitor, defend, investigate, and remediate account compromises and the data breaches that often follow. We have a complete cloud app security broker that monitors and protects your cloud applications from being victims of a compromise. Let us secure your critical applications, protect your users, and give you the tools to fully monitor and mitigate common attacks involving your business accounts. Our information protection solutions apply security solutions and other technologies, as well as processes and policies, to secure information across your cloud services, email, endpoint, and on-premises file shares.