What Is a Compromised Account?

An account is compromised when a threat actor gains access to a user’s credentials or finds another way to act on their behalf. Credential theft leaves an account vulnerable to numerous additional attacks such as:

• Ransomware
• Remote access malware (rootkits)
• Keyloggers
• Data eavesdropping and theft
• Privilege escalation

Threat actors steal credentials to gain access to accounts in many ways, including phishing, social engineering and other cyber attacks. 

Every cyber attack against a user has a goal. Generally, account compromise is only the first step. The second phase is where the attacker achieves their goal, which is to steal data, destroy data or install malware on the network. This phase may require privilege escalation depending on the environment and the account’s authorization level.

Phishing is a popular tool cyber attackers use to exfiltrate data. Hacking is a business, and a successful phishing campaign can bring in millions of dollars in revenue. But data theft isn’t the only way to earn revenue. Attackers also compromise accounts to install ransomware. In a ransomware attack, data is encrypted with a cryptographically secure cipher. An organization with poor backups has no choice but to send money to the attacker in exchange for their files. If the organization refuses to pay up, the attacker may threaten to expose their data to the public.

How Does Account Compromise Happen?

Phishing. Phishing emails are a critical threat to every organization. That’s because attackers depend on people making mistakes. When a phishing email is delivered to an inbox, a user must recognize that it’s malicious. But users may not have the time to fully scrutinize a message before clicking a link or downloading an attachment. Human error is the weak link in any organization’s security. Phishing attacks effectively trick users into divulging their credentials and other sensitive information.

An attacker has two main phishing strategies for tricking users into divulging their credentials. The first one is to send them a link to a malicious website that looks like an official corporate site. Users enter their credentials thinking that they need to authenticate. This strategy often succeeds when employees don’t get regular cybersecurity training.

Another phishing strategy tricks users into running malicious scripts or executables on their devices. Microsoft Office macros are commonly used for this attack. After a user opens a malicious document, the macro downloads malware. The malware might be a keylogger to capture credentials. Or it might install a rootkit that gives an attacker remote access to the user’s local device.

Social engineering. This strategy exploits people’s instinct to trust. An attacker pretends to be someone trustworthy, like a member of the operations team, to trick a user into handing over information. It’s important for users to learn how to recognize social engineering. Users should verify the identity of anyone asking for sensitive data and not just hand over their credentials when asked for them.

Social engineering and phishing are the two main ways attackers compromise account credentials. But it’s important to remember that the cybersecurity landscape is constantly evolving. Some other ways attackers steal user credentials and sensitive information include:

• Logs with plaintext passwords
• Compromised databases with stored passwords
• Authentication over cleartext channels

Business network accounts aren’t the only targets. Other accounts can be useful to attackers in a round-about way. For example, some inadvertently give attackers sensitive data that can lead to account compromise.

• Business email accounts. These accounts are perfect for a compromise because they can be used to reset passwords across different business applications. They can also be the starting point for privilege escalation. This is where an attacker uses the account to send requests for additional privileges or to trick other high-privileged users into handing over their credentials.
• Individual email accounts. An attacker uses the compromised account to email friends and trick them into revealing their credentials. This type of compromise is often used to reset the passwords of highly sensitive accounts, like financial applications.
• Social media accounts. These accounts are often treasure troves of sensitive user information. For example, a Facebook account might have information about a user’s birthday, place of work, friends, pet names, children and relative names, and other personal data. All of which can be used in a brute-force attack. Users often create passwords using personal details, so collecting as much personal data as possible can help an attacker compromise their business accounts.
• Financial accounts. Targets may include credit card accounts, bank accounts, trading accounts or any other accounts that handle money. Attackers can sell account information on darknet markets or use it to transfer money to themselves. Banking institutions have fraud detection systems to prevent account compromise. But users and businesses should still be vigilant about avoiding credential theft.

Attackers will try their best to avoid detection. Both users and business monitoring systems must be vigilant for telltale signs of a compromise. Monitoring systems continually collect data and use artificial intelligence to accurately detect when an account is compromised. There are several observable indicators of a compromised account:

• Unusual outbound traffic. As attackers collect data, they may send data bit by bit to an outside network. Or they may transfer large amounts of files during off-peak hours.
• Irregular high-privilege user activity. High-privilege users commonly work with sensitive data, but they usually do it in a pattern. For example, an HR person might access employee data throughout the day every Friday. In contrast, an attacker might exfiltrate employee data all at once during off-peak hours.
• Network requests from unfamiliar geolocations. If all your employees are based in the US, then VPN or network access from offshore IP addresses could mean an account has been compromised.
• Elevated failed authentication requests. In a brute-force attack, there will be high numbers of failed authentication attempts. Account lockouts stop these authentication attempts. But an attacker will keep trying with other accounts until they’ve successfully found a credential match with a compromised account.
• Increase in database reads. An attacker who’s looking for vulnerable data will probe database tables and send multiple queries.
• Unusually high access attempts on important files. In corporate espionage, the most valuable files contain trade secrets and intellectual property.
• Suspicious configuration changes. An attacker may change system configurations to create a backdoor for persistent access and threats.
• Flooded device traffic to a specific address. Hacked devices can be used as a part of a botnet in a distributed denial-of-service (DDoS) against a specific target.

Some attackers focus on individual accounts. But business email compromise (BEC) is more common. That’s because it gives attackers access to highly sensitive business data. Users with high-privilege are often primary targets, especially in spear-phishing attacks. With access to the CEO’s or vice president of HR’s email account an attacker can access almost any data on the network.

Once they’ve gained access to a high-privilege user’s account, attackers typically impersonate their victims. In CEO fraud, an attacker poses as the CEO and emails unsuspecting employees to get them to do things, like transfer money to the attacker’s own account. The attacker uses urgency and the CEO’s position to convince employees to do what the attacker wants them to do.

Invoice scams are also common. an attacker might pretend to be a corporate accountant and direct a financial employee to pay a fraudulent invoice. Invoice scams often use a combination of social engineering and compromised email accounts to trick targeted users.

Instead of scamming employees, an attacker may use the compromised account to steal data. With a high-privilege account, data can be easily exfiltrated to an external server. The attacker might hide backdoors in less scrutinized standard user accounts. Or they might attempt privilege escalation to access additional critical data.

Phishing is the main way attackers steal credentials and compromise accounts. Organizations that don’t have any email security and protection solutions in place are at high risk of this type of attack. To make an email look legitimate, attackers spoof email headers or register domain names with one-letter misspellings. Users who miss these subtle signs are vulnerable to these attacks.

People frequently use the same password for both their personal and business accounts. Not every website encrypts user credentials. Attackers who steal passwords in one compromised database will use them to discover other accounts using the same passwords.

Malware can silently spy on users and steal their information. Keyloggers, rootkits and other eavesdropping tools enable attackers to collect user credentials and send them to an external server. Malicious files attached to emails will automatically install malware on the network so that attackers can harvest credentials.

Also, poor firewall configurations and a compromised system give an attacker access to the internal network. Once inside, an attacker can scour the network to find vulnerable data. After a compromise, almost any data is vulnerable to theft and disclosure.

If you think your account has been compromised, you have options. There are several steps you can take to eliminate the threat and recover your account. Data breach forensics should only be done by a professional. But you can take several steps to contain and eradicate the immediate threat. This starts with regaining access to your account and changing your password. Then, you should report the compromise to the proper authorities.

First steps to recover your account:

• Authenticate into your account and change your password. Some systems like email allow you to kick out any additional sessions so that you are the only one authenticated.
• Read your email. Look at your trash to see if any other passwords were reset using your email account. Make sure to log into those accounts and reset those passwords too.
• Reset passwords on critical accounts. This includes your bank accounts, your business resources (e.g., essential applications and databases) and your social media accounts.
• Configure multi-factor authentication (MFA). This step can prevent another compromise. MFA requires an additional PIN, which will prevent a third party from logging into your account even if they have your credentials.
• Change your security questions. Use wrong answers that do not match your current private details, such as pets, family and important dates.
• Change your password every 30 days. Old passwords give attackers a longer window of opportunity.
• Don’t use passwords across multiple systems. This helps you prevent additional account compromises after one application is breached.
• Deploy a cloud access security broker or account takeover protection. Look for a solution that accelerates response investigation and remediates accounts, malicious mailbox rule changes and manipulations of third-party apps, and data exfiltration across email and cloud environments.

Proofpoint can help monitor, defend, investigate, and remediate account compromises and the data breaches that often follow. We have a complete cloud app security broker that monitors and protects your cloud applications from being victims of a compromise. Let us secure your critical applications, protect your users, and give you the tools to fully monitor and mitigate common attacks involving your business accounts. Our information protection solutions apply security solutions and other technologies, as well as processes and policies, to secure information across your cloud services, email, endpoint, and on-premises file shares.