While there are similarities between the two, the impact of a corporate account takeover (CATO) is often greater than a breach affecting an individual account and can result in significant financial loss, reputational damage, and exposure of sensitive business information.
In an enterprise environment, the main concern is to prevent attackers from obtaining employees' credentials. This could consist of several different attack vectors. There are more traditional social engineering attack vectors and attack vectors, which may include placing malware on your device in such a way that it records your keystrokes and looks for credentials stored on your device in relation to the device.
According to the Expel Q1 2023 Threats Quarterly Report, identity-based attacks [account compromise, corporate account takeover, and long-term access key theft] accounted for 57% of all incidents detected in Q1 2023.
Common attacks that can lead to corporate account takeover attacks
The tools and techniques used by cybercriminals against consumers and businesses are similar, but the impact of business account takeover can be much greater.
Attack vectors used by bad actors include:
Phishing: This remains a popular attack method as its evasion tactics become more sophisticated, such as testing to avoid common defense tools. Artificial intelligence (AI) also presents new challenges with near-perfect phishing emails. SMS text messaging has also become a popular technique because, unlike email, cell phones do not have strong filters to block text messages containing spam or phishing attempts.
Pretexts: The human equivalent of phishing, where attackers create false pretexts, such as impersonating an authority figure, to trick employees into divulging sensitive information or performing certain actions.
Business Email Compromise (BEC): Specifically targets business email accounts. Attackers compromise or spoof executive or employee email accounts to trick others within the organization or external parties into performing fraudulent actions. This may include wire transfers, changing payment details or disclosing sensitive information. In 2022, the FBI's IC3 (Internet Crime Complaint Unit) received 21,832 BEC complaints with an adjusted loss of over $2.7 billion.
Social Engineering: The exploitation of human psychology and trust to manipulate individuals (usually employees) into revealing sensitive information or granting unauthorized access. Like phishing, social engineering attacks are made more sophisticated by using artificial intelligence to impersonate legitimate entities over the phone or video.
Calls impersonating legitimate entities: Attackers target corporate executives, business partners, or financial institutions to trick employees into revealing login credentials, account details, or sensitive information, which they then use to gain unauthorized access to corporate accounts.
Deepfakes: Use artificial intelligence to create video or audio recordings of senior executives or colleagues to trick employees into transferring funds, sharing sensitive data, or giving attackers control of corporate accounts. Deepfakes are likely to become more common as artificial intelligence advances and news of successful attacks increases.
Insider Exploitation: Bad actors use employees to facilitate corporate account takeovers. Motives can be financial, affection for a particular cause, and/or threat of extortion. Employees or individuals with privileged access may be persuaded to abuse their privileges for personal gain or malicious purposes.
In addition to the target of the attack, a business account takeover attack may target a variety of targets unique to the attacker's specific interests or goals.
For example, we often observe opportunistic stealing malware campaigns associated with larger crimeware scenarios, namely stealing account credentials of ordinary corporate employees," Hegel said. In these opportunistic attacks, he said, it is easy for attackers to steal Credentials employees use to access third-party websites, such as business bank accounts.
More worryingly, attacks could attempt to gather employee login details on business networks or communication platforms, such as email or messenger.
These details are now in the hands of the attackers and can be used by them to financially benefit in a number of ways. Outright financial theft, data theft, and even selling the access they have to interested parties are all highly probable scenarios today.
Types of Organizations These Attacks Target
Any organization that conducts business online can be the target of a CATO attack, although such attacks primarily target business entities that perform financial transactions online.
While any organization is at risk of business account takeover, bad actors often target certain organizations because of their size, availability of funds, and the type of valuable data and secrets. Some of the organizations that continue to be targeted include financial institutions, healthcare organizations and government agencies.
The attackers carried out multiple attacks on their company's employees. What usually happens is that the attacker, often part of a well-funded overseas criminal enterprise, sends someone a convincing-looking text message, email or phishing link that they hope the recipient will click on. . Once clicked, it launches some type of malware that allows a direct connection between the attacker and the victim.
However, these attempts have not been successful. The reason is that one of the most important things you can do to prevent this from happening is to raise employee awareness. A lot of effort goes into making sure employees understand the threat. Do this through simulations, mandatory training requirements and proof of policy. This information is captured each quarter through a different activity test, and thus the employee situation. We are in a position to resist such attempts.
Financial Institutions Frequently Targeted by CATO Attacks
Malicious actors often target financial institutions, with a successful CATO attack on the Robinhood brokerage platform in November 2021. In that attack, an unauthorized party socially engineered customer support employees over the phone and gained access to certain customer support systems, the company said.
According to the company, the attackers stole lists of email addresses of about 5 million people and the full names of another 2 million people. The hackers also obtained the full names, dates of birth and zip codes of 310 Robinhood customers, as well as broader account details for 10 customers, although the company noted that the hackers did not obtain customers' social security numbers, bank account numbers or debit cards Number card number, no one suffers any financial loss.
However, after Robinhood contained the intrusion, the attackers demanded a ransom fee. As a result, Robinhood immediately notified law enforcement and continued to investigate the incident with the help of leading external security firm Mandiant. The results of the investigation are unclear.
Another example is Twitter. “In 2020, attackers gained access to Twitter’s internal systems through social engineering and phishing schemes targeting employees. Bad actors took over internal IT administrator tools used to manage accounts. They leveraged well-known accounts, including well-known companies such as Coinbase Accounts of individuals and companies, and using them to promote cryptocurrency scams. Hackers stole more than $118,000 worth of bitcoins.
Six best practices for defending against business account takeover attacks
While no single security practice and control can prevent a CATO attack, several in combination (defense in depth) can significantly reduce the risk. Here are six best practices for preventing corporate account takeover attacks
defense in depth
Companies must implement a defense-in-depth approach. Maintaining a healthy security posture remains critical to preventing business account takeovers and other cyberattacks.
Organizations must implement multiple layers of defense, including vulnerability management, network segmentation, email/web filtering, intrusion detection and monitoring, third-party risk management, and incident response.
Multi-Factor Authentication (MFA) for online account access and more
It is important to have strong multi-factor authentication on all company accounts.
Some of the latest phishing services, such as EvilProxy, are very good at mimicking login screens that look just like your corporate login screen and corporate MFA challenges where users can potentially fall victim and share their MFA.
While companies need to continue to enhance MFA, they also need to continue to look for more advanced MFA methods, such as Fido keys. But these more advanced approaches are an investment, so organizations must decide whether to invest in them.
Strong Access Management Policies
Implementing strong access management measures is critical, especially through the use of privileged access management tools.
Regular access reviews involving third parties are critical, and establishing procedures for people joining and leaving the organization to uphold the principle of least privilege is critical.
Contextual Access Management Measures
Organizations should also implement contextual access management that considers the user's current location, device being used, time of access, network environment, behavioral patterns, and other contextual information.
By doing this, the risk of unauthorized access, which is often exploited in corporate account takeovers, is greatly reduced.
Powerful Security Monitoring
Security monitoring is performed by the security operations team. They are on duty 24 hours a day, 7 days a week, monitoring every alert that comes out of our toolset.
These toolsets cover everything from our endpoint detection and response to our identity systems. In terms of identity, for example, when someone is trying to do a business email compromise, one of the triggers that often happens is some form of travel type alert where we see someone log in at one location and all of a sudden, they show up at A very different part of the world, which set off alarms.
Staff Education and Training - Human Firewall
Employee education and awareness is critical. This "human firewall" remains a very important defense against theft of corporate accounts.
Ensure that employees are regularly educated and trained about the risks associated with corporate account takeovers, especially those professionals who are privileged or in highly targeted areas such as payments and finance.
This includes making employees aware of the key things to look for in an email to understand that it is a malicious email or has malicious intent in some way.
It all starts with looking at the sender, looking at the URL they're trying to send you. If you happen to click on that URL, and you see the login screen, make sure the login screen goes to a meaningful domain or URL.