While there are similarities between the two, corporate account takeovers (CATO) often have larger implications than breaches affecting individual accounts and can result in significant financial losses, reputational damage, and compromised sensitive business information.
“In the corporate environment, the main focus is preventing attackers from getting your employees’ credentials,” says Gartner cybersecurity analyst Akif Khan. “And that can consist of a few different attack vectors. There are the more traditional social engineering attack vectors and attack vectors that could include malware being put on your device somehow, which would log your keyboard strokes and look for credentials that were saved on your device.”
According to the Expel Quarterly Threat Report Q1 2023, identity-based attacks [account compromise, corporate account takeover, and long-lived access key theft] accounted for 57% of all incidents identified in Q1 2023.
Common attacks that can lead to corporate account takeover attacks
The tools and techniques cybercriminals use are similar for both consumers and corporations, but the impact of a corporate account takeover can be much more significant, says Michael Halstead, managing director of finance and insurance at Launch Consulting.
According to Halstead, the attack vectors bad actors use include:
- Phishing: This remains a popular method of attack as it has become much more sophisticated with evasive strategies, such as testing to avoid common defensive tooling. Artificial intelligence (AI) has also created new challenges with near-perfect phishing emails. SMS text messages have also become a popular technique as unlike email, mobile phones don’t have strong filters to block text messages containing spam or smishing attempts.
- Pretexting: The human equivalent of phishing where an attacker creates a false pretext, e.g., impersonating a person in authority, to deceive employees into revealing sensitive information or performing certain actions.
- Business email compromise (BEC): This specifically targets corporate email accounts. Attackers compromise or spoof executive or employee email accounts to trick others within the organization or external parties into performing fraudulent actions. This can include wire transfers, changing payment details, or disclosing sensitive information. In 2022, the FBI IC3 (Internet Crimes Complaint Unit) received 21,832 BEC complaints with adjusted losses of over $2.7 billion.
- Social engineering: Uses human psychology and trust to manipulate individuals, often employees, into divulging sensitive information or granting unauthorized access. Like phishing, social engineering attacks have become much more sophisticated with the use of AI to impersonate legitimate entities via phone calls or video.
- Phone calls impersonating legitimate entities: Attackers target company executives, business partners, or financial institutions, to trick employees into revealing login credentials, account details, or sensitive information, which can then be used to gain unauthorized access to corporate accounts.
- Deepfakes: The use of AI to create a video or audio recording of a high-ranking executive or colleague to trick an employee into transferring funds, sharing sensitive data, or giving an attacker control over a corporate account. Deepfake will likely become more prevalent as advances in AI are made and news of successful attacks increase.
- Leveraging insiders: Bad actors use employees to assist with corporate account takeovers. The motivation can be financial, affinity to a particular cause, and/or threats of blackmail. Employees or individuals with privileged access can be convinced to misuse their privileges for personal gain or malicious purposes.
“A corporate account takeover attack can occur for a large variety of objectives unique to the attackers’ specific interests or goals, in addition to who the target may be,” says Tom Hegel, a senior threat researcher at SentinelLabs.
“For example, we commonly observe opportunistic stealer malware campaigns associated with the larger crimeware scene-stealing account credentials from average business employees,” Hegel says. In these opportunistic attacks, the attackers easily steal credentials used by the employees to access third-party websites, such as businesses banking accounts, he says.
“More concerning, the attacks can seek to collect the login details of an employee into the business network or communications platform, such as email or messengers,” Hegel says. These details, now in the hands of the attacker, can be used in a variety of ways to financially benefit them. Direct financial theft, data theft, or even selling the access they have to interested parties, are all highly probable scenarios occurring today.”
Types of corporate organizations targeted by these attacks
Any organization that does business online can be targeted by a CATO attack, though primarily such attacks target corporate entities that perform financial transactions online, says Sourya Biswas, technical director of risk management and governance at security consulting firm NCC Group.
Halstead agrees, adding that although any organization is at risk for corporate account takeovers, bad actors often target certain organizations due to their size, availability of funds, and type of valuable data and secrets. Some organizations that are continuously targeted are financial institutions, healthcare organizations, and government agencies.
Gil Vega, chief information security officer at Veeam Software, says attackers have made a lot of attempts against his company’s employees.
“Typically, what will happen is, there’ll be an attacker that’s usually part of a pretty well-funded criminal enterprise overseas who will send someone a convincing looking text message, or an email, or a phishing link that they’ll hope that the recipient will click on,” he says. “And once that’s clicked on it will launch some type of malicious software that allows direct connectivity between the attacker and the victim.”
However, Vega adds that none of those attempts has yet been successful. “The reason is that one of the most important things you can do to prevent this is to enhance the awareness of your employees,” he says. “And we spend a lot of calories here at Veeam making sure our employees understand the threat. We do that through simulation, through mandatory training requirements, through policy attestations. We stay on top of our employees with this information every quarter with different campaigns testing our ability to resist these kinds of attempts.”
Financial institutions are frequently targeted by CATO attacks
Vega also concurs that malicious actors often target financial institutions, pointing to the successful CATO attack on the Robinhood brokerage platform in November 2021. The company said that in that attack that “The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems.”
The attacker stole a list of email addresses for about 5 million individuals and the full names of an additional 2 million individuals, according to the company. The hacker also obtained full names, dates of birth, and ZIP codes of 310 of Robinhood’s customers and more extensive account details of 10 customers, although the company noted that that hacker did not obtain customers’ Social Security numbers, bank account numbers, or debit card numbers, and none had suffered any financial losses.
However, after Robinhood contained the intrusion, the attacker demanded an extortion payment. Consequently, Robinhood “promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.” The result of the investigation is unclear.
Another example is Twitter, says Halstead. “[In 2020] attackers gained access to the internal systems of Twitter through a social engineering and phishing scheme targeting employees,” he says. “Bad actors took over an internal IT administrator tool that was used to manage accounts. They leveraged prominent accounts, including those of high-profile individuals and companies, such as Coinbase, and used them to promote a cryptocurrency scam.” The hackers stole more than $118,000 worth of Bitcoin.
Six best practices to defend against corporate account takeover attacks
While there is no one security practice and control that can prevent CATO attacks, several used in combination (defense in depth), can significantly reduce the risk, says Biswas. Here are six best practices to prevent corporate account takeover attacks
Defense in Depth
Companies must implement a defense-in-depth approach, Halstead says. Maintaining a healthy security posture remains paramount in preventing corporate account takeovers among other cyberattacks.
“Organizations must implement layers of defense that include vulnerability management, network segmentation, email/web filtering, intrusion detection and monitoring, third-party risk management, and incident response.”
Multifactor authentication (MFA) and more for online account access
It’s important to have strong multifactor authentication around all corporate accounts, says Bryan Willett, CISO at Lexmark.
“What we’re finding with some of the latest phishing services that are out there, such as EvilProxy, is that they’re getting very good at imitating a login screen that looks just like your corporate login screen and your corporate MFA challenge,” Willett says. “And the user has the potential of falling victim to that and sharing their MFA.”
However, while companies need to continue enhancing their MFA they also need to continue looking at more advanced MFA methods, such as Fido keys, Willet says. But those more advanced methods are an investment, so organizations must decide whether they’re going to invest in them.
Strong access management strategies
Implementing strong access management measures is essential, particularly through the utilization of privileged access management tools, according to Halstead.
“And regular access reviews that also involve third parties are of utmost importance,” he says. “It is vital to establish procedures for both personnel joining and leaving the organization to uphold the principle of least privilege.”
Contextual access management measures
Organizations should also implement contextual access management that considers a user’s current location, the device being used, time of access, network environment, behavior patterns, and other contextual information, according to Halstead.
“By doing so, the risk of unauthorized access, often exploited in corporate account takeovers, can be significantly minimized,” he says.
Robust security monitoring
At Lexmark, security monitoring is performed by the security operations team. “They perform a 24-hour-a-day, seven-days-a-week function where they’re monitoring every alert that comes out of our tool sets,” Willett says.
“The toolsets are everything from our endpoint detection and response to our identity systems. For instance, in identity one of the triggers that frequently occurs when someone’s trying to do a business email compromise is some form of travel-type alert, where we saw someone logged in one location and all of a sudden, they’re showing up in a very different part of the world and that sets off an alarm.”
Employee education and training — a human firewall
Employee education and awareness are critical, says Halstead. This “human firewall” remains a very important defense in preventing corporate account takeovers.
“Ensure you regularly educate and train employees about the risks associated with corporate account takeovers, particularly those professionals who have privileged access or are in highly targeted areas, such as payments and finance,” he says.
This includes making employees aware of the key things to look for in an email to know that it was a malicious email or had malicious intent in some way, Willett says. “Everything from looking at the sender, looking at the URL they’re trying to send you too,” he says. “If you do happen to click on the URL and you see a login screen, make sure the login screen is going to a domain or URL that makes sense. It shouldn’t be Joe’s Smoke Shop that you’re logging into.”