Mitigating the growing threats of account takeover attacks in 2024

Person pressing padlock security symbol
(Image credit: Shutterstock) (Image credit: Shutterstock)

Account takeover (ATO) attacks have swiftly ascended to the top of the list of critical cyber threats confronting organisations today. Abnormal Security's 2024 State of Cloud Account Takeover Attacks report reveals that over 60% of security leaders in the UK now rank ATOs among their top four concerns. This heightened focus on account takeovers surpasses even the notorious threats of ransomware and spear phishing.

In an era where the sophistication and frequency of ATO attacks are escalating, it's imperative to understand the underlying factors driving this surge and the strategies organizations can deploy to defend against them.

Mike Britton

CISO of Abnormal Security.

Account takeover attacks are rapidly increasing in both regularity and severity. Attackers are concentrating more on account takeover attacks because gaining access to an account can immediately expose sensitive company or customer data, enable financial theft, and allow them to launch further attacks or move laterally within a network.

A study indicates a 427% increase in ATO attempts over 2023 alone, highlighting their growing risk and potential to create substantial financial losses for businesses. Given the destructive potential of ATOs, it's no surprise that most security leaders consider these attacks among their top cyber threats.

These concerns are usually grounded by experience - in fact, 75% of UK organizations we surveyed reported experiencing at least one ATO attack in the past year, with over a third facing more than five incidents. Some unlucky businesses were hit more than 10 times.

How have cybercriminals adapted their tactics for ATO attacks with the advent of new technologies like generative AI, and what are the implications for organizations?

Credential phishing is one of the key culprits behind account takeovers, and the proliferation of generative AI tools over the last year has only made this problem worse, ultimately making ATO attacks a lot easier to carry out. With the right prompts, generative AI can write phishing emails that are almost indistinguishable from authentic content. Tools like ChatGPT can create convincing and realistic phishing campaigns in seconds, enhancing the effectiveness of social engineering tactics and increasing the likelihood that targets give up their credentials.

Sophisticated threat actors have even gone as far as creating their own generative AI platforms like WormGPT and FraudGPT. Many are also finding ways to “jailbreak” ChatGPT, bypassing its safeguards against malicious content generation using carefully crafted prompts, known as "jailbreak prompts."

The DAN (Do Anything Now) prompt and the Translator Bot prompt are well-known examples. The DAN prompt manipulates ChatGPT into generating restricted content by roleplaying as an unrestricted AI. The Translator Bot prompt circumvents filters by framing inappropriate content as a translation task.

AI-generated phishing attacks are so dangerous because they’re extremely difficult to detect. Traditionally, you’d look for odd language, spelling or grammar mistakes, robotic tone, and other contextual indicators. However, with generative AI, attackers can create large volumes of convincing human-like content.

As cybercriminals see greater success with credential phishing attacks, this can lead to greater incidents of account takeover, which underscores the importance of comprehensive email security

What are the primary concerns of security leaders regarding account takeovers? Why are these attacks considered one of the top cybersecurity threats today?

The biggest worry about ATO attacks is their potential for extremely damaging consequences, including compromised customer privacy, compliance, data security, brand reputation, and operational integrity. So, it comes as no surprise that nearly all security stakeholders that we surveyed agreed that preventing account compromises is a top priority.

ATO is particularly insidious because trusted contacts are placed directly in the firing line. If cybercriminals can gain access to the account credentials of a trusted executive or vendor, not only can this expose sensitive information, it can also allow the attacker to make fraudulent financial transactions under the guise of their compromised victim. This means the scope for damage is huge.

These attacks are also alarming because they can occur through a variety of attack methods - not just through credential phishing via email but also SMS and voice phishing, as well as more sophisticated tactics like session hijacking via stolen or forged authentication tokens. The stealthy nature of ATOs means they can remain undetected for months, increasing their potential damage.

MFA is a widely implemented security measure, so why are some skeptical about it when it comes to ATO attacks?

Multi-factor authentication (MFA) has become a standard security enhancement and is recommended by government regulations like NIST. However, while MFA can reduce the risk of account compromise, it is not foolproof, so it has been subjected to some level of skepticism. Our research showed that only 37% of security leaders are confident in MFA’s ability to protect against ATOs.

One reason for this doubt is the rise of MFA bypass tactics. Cybercriminal groups, like Robin Banks and EvilProxy, now offer MFA bypass kits for sale, which allow attackers to hijack active authentication sessions using stolen MFA tokens. This makes it easier for even less experienced hackers to circumvent MFA protections. High-profile incidents, such as the SolarWinds attack, have demonstrated the vulnerabilities of MFA.

Research has shown a significant increase in MFA bypass attacks. A study by Kroll Advisory found that 90% of successful business email compromise attacks occurred even with MFA in place. These findings highlight that while MFA is a crucial security measure, it alone cannot fully prevent account takeover attacks, necessitating additional layers of security.

What type of solutions can help defend against increasing ATO attacks and what areas should businesses improve on?

There are a number of strategies that organizations are using to mitigate account compromise, including MFA and encouraging strong password use or implementing secure sign-on (SSO).

But while these are important layers of defense that can reduce the risk of account compromise, they won’t eliminate it entirely - today’s sophisticated threat actors are savvy enough to find ways around these measures.

Security teams should layer these controls with additional tools, including technologies that can create complete visibility across the cloud ecosystem. Account takeover attacks often involve lateral movement across platforms, so teams need the ability to see, correlate, and analyze behavioral signals across these different applications and platforms. By analyzing these signals against baseline levels of user behavior to identify deviations, organizations can improve their ability to detect potential account compromises rapidly and with confidence.

Auto-remediation is also critical, enabling teams to swiftly remove attackers from compromised accounts - including by signing out of all open sessions, blocking access, or forcing a password reset - before significant damage occurs.

This integrated approach, offering complete visibility across the cloud application ecosystem, with automatic remediation, is essential for enhancing ATO defenses.

We've featured the best online cybersecurity course.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

TOPICS

CIO of Abnormal Security.

Read more
Representational image of a shrouded hacker.
Getting to grips with Adversary-in-the-Middle threats
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
An abstract image of a lock against a digital background, denoting cybersecurity.
Building a resilient workforce security strategy
A padlock resting on a keyboard.
AI-powered cyber threats demand enhanced security awareness for SMEs and supply chains
Latest in Pro
A person using a smartphone with a cybersecurity lock symbol appearing over it.
The growing threat of device code phishing and how to defend against It
Cybersecurity
Why OT security needs exposure management to break the cycle of endless patching
Employees sat around together discussing business issues.
AI deregulation: what smart leaders do when the rules go off the rails
Branch office chairs next to a TechRadar-branded badge that reads Big Savings.
This office chair deal wins the Amazon Spring Sale for me and it's so good I don't expect it to last
Saily eSIM by Nord Security
"Much more than just an eSIM service" - I spoke to the CEO of Saily about the future of travel and its impact on secure eSIM technology
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Latest in News
DeepSeek
DeepSeek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring