Account Takeover attacks: the viewpoint of a threat intelligence expert

Account Takeover attacks: the viewpoint of a threat intelligence expert

Jun 21, 2023

Account takeover happens when someone tries to steal a user account. Any service offering authentication can face it since an attacker just has to test pairs of users and passwords.

Zack Allen joins us to share his experience protecting organizations that faced massive account take over, describes the criminal and financial motivation of attackers, their methods to hide, and how they move from a database leak to a compromised account. We show the tools that attackers most commonly use. Eventually, we discuss how to detect and protect your organization around account take over.

About Zack:

Newsletter: https://www.detectionengineering.net/
Twitter: https://twitter.com/techyteachme
Linkedin: https://www.linkedin.com/in/zack-a-12749a76
Story of the ATO against Sqreen https://blog.sqreen.com/blocked-major-ato-attack-sqreen-deployment/
Password crackers:
John the Ripper https://www.openwall.com/john/
Hashcat https://hashcat.net/hashcat/
Password encryption best practices: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
Tools:
Patator https://github.com/lanjelot/patator
Open Bullet https://github.com/openbullet/openbullet
Datadog ATO protection: https://docs.datadoghq.com/security/default_rules/appsec-ato-groupby-ip/

0:00 Cloud Security Lounge

2:01 Zack role as a cyber criminal hunter

7:45 Motivation of attackers

9:58 Who is at risk?

11:58 Story of an account take over attack against Sqreen

14:23 Attack lifecycle: attackers coming from a data leak to a compromised account

20:10 How attackers try to hide

22:30 Tools used for attack (by criminals or security professionals)

28:30 How to detect and protect against ATO attacks

34:10 The common targets are not only the public ones, like back office or support

38:30 Two factor authentication: a great yet imperfect protection