How ATO Attacks Hurt Small Businesses
Cybersecurity attacks can pose a significant threat and impact countless businesses. Many small and medium businesses (SMB) often have limited resources for security needs. The results of a successful cyberattack can be far more damaging for SMBs in today’s competitive market beyond revenue losses. These attacks can range from distributed denial of service (DDoS) attacks designed to limit your online operational capabilities to user account takeovers (ATOs) with the goal of crippling a small business internally.
One of the most detrimental attacks that can impact a small business is an account takeover. Countless small businesses rely on their websites and applications to conduct their operations efficiently. The goal of an ATO attack is to obtain unauthorized access to a web or app user account and then take it over for a cybercriminal to expose a business internally. This can lead to things like [example] being exposed which can greatly affect revenue and operations.
ATO attacks can be challenging to pinpoint for a small business with limited security resources to prevent or remediate successfully. They can also lead to further attacks or security incidents including data breaches. Let’s explore how an ATO attack can occur, how to detect and prevent account takeovers, and how to better secure your SMB from these types of attacks successfully.
Attack Techniques: How Does Account Takeover (ATO) Happen?
ATO attacks have grown steadily over the past few years. As recently as 2023, 29% of individuals and businesses reported that an account takeover happened to them. This reflected a 7% rise from the 2021 report. This can lead to disruptions in business operations, loss of revenue, data breaches, further cyberattacks, and more.
Cybercriminals use varied techniques to attack businesses and take over accounts. ATO attacks can also provide cybercriminals with an additional pathway to carry out further cyberattacks against individuals and businesses. To safeguard your organization against these emerging security threats, it’s key to understand how these attacks occur and the methods used.
Phishing
Phishing is one of the most common ways that an ATO attack can occur. It is also one of the most prominent methods that cybercriminals will use to exploit individuals and small businesses. Phishing typically happens when a cybercriminal contacts you via email, online messaging apps, or social media to trick you into providing your user information.
Many phishing attacks come in the form of a request for user information from someone pretending to be a government, bank, or other financial official. These types of attacks also come with a sense of urgency with the goal to overwhelm and trick a user into providing it easily.
Once cybercriminals obtain that information from the targeted individual or employee, they will use it to attempt to access the user accounts. If successful, they will then take over the account and often lock out the user.
Credential Stuffing
Another method that cybercriminals will use to conduct an ATO attack is through credential stuffing. It is used to expose user data and passwords across various systems, networks, websites, and applications in order to compromise them. Cybercriminals can commonly acquire this user data from purchasing account information, such as email addresses and passwords, from dark web marketplaces or other online breach databases.
Once attackers obtain user data, they can use automated tools designed to facilitate multiple access attempts with those credentials to systems. Upon gaining access to the user account, they will take control of it. From these compromised accounts, adversaries can then destroy company data or deploy ransomware against businesses.
Brute Force Bot Attack
Cybercriminals will also use brute force bots to conduct an ATO attack. These tools are designed to use automated software to execute multiple access attempts for the compromised account. These bots work by automating the login attempt process, which enables them to try hundreds, if not thousands, of username and password combinations per minute to gain access.
This technique allows them to rely on bots to persistently enter different username and password combinations within a website or application until it is successfully accessed by them. If successful, attackers can steal data, inject malware, or conduct user access privilege escalation to gain more information to exploit the business. A recent example of this would be…
If successful, these methods can provide attackers with direct access to the user information, internal resources, data, and more. This allows them to take over these accounts and cripple a small business internally by locking them out of access needed to conduct business.
Account Takeover Detection: How Can You Detect ATO Attacks?
A key component of detecting an ATO attack against your organization is being able to identify suspicious activity on user accounts. In fact, there are several measures that SMBs can take to accomplish this. Below is a breakdown of some of the ways you can safeguard your business from ATO attacks and keep your information protected.
Detecting IP Addresses From Unusual Countries
Monitoring user account access and logins from unusual internet protocol (IP) addresses can indicate a possibly compromised account. IP address user account access from locations that are not typical for that user can also be an indicator of an ATO attack. For example, if your employee logins from an IP address listed within the United States and their user account logins are from another country, it could be a compromised account.
Several Accounts Changing to Shared Details
User account changes can also be a strong indication of an account takeover by an attacker. ATO attacks are used often to steal or destroy information that may be able to be accessed within those compromised accounts. Typically, attackers will move through system user access levels and make changes to files or other shared account details and information. This can include limiting access to shared folders and files or destroying data.
Discovering Unknown Device Models
Remote work has changed the way employees and businesses operate. This workforce shift has also created a large attack surface for businesses of all sizes, including the devices that can access user accounts within an organization’s IT system. ATO attackers will often use different devices in order to access user accounts. Seeing unknown device models connected to user accounts and the network can indicate an ATO attack. Monitoring devices connected to user accounts can help mitigate this.
Identifying Multiple Accounts Accessed by the Same Device
In addition to unknown devices and IP addresses connected to user accounts, discovering multiple different user accounts connected to the same device can also indicate an account takeover. Employees can often utilize multiple devices in order to conduct work. However, different user accounts connected to the same devices may be an evidence of an ATO. Regular auditing of user behavior and their devices connected to your network and accounts can help minimize the risk of an ATO attack.
Account Takeover Prevention Methods: How Can You Combat ATO?
As ATO attacks continue to increase, protecting your users accounts from being compromised is crucial to further safeguarding your small business from further attacks. It can also help ensure proactive cybersecurity controls for your small business. Below are several ways that you can effectively prevent account takeover attacks. .
1. Check for Compromised Credentials
Continuous monitoring of user accounts can be critical to combating an account takeover. This can include utilizing tools, such as cyber threat intelligence and dark web monitoring solutions. These tools are designed to notify you in the event of a user account being compromised.
They work by scanning databases to cross-reference your user account credentials, including email addresses, passwords, and other information that may have been breached. If matches are discovered, this will prompt you to further secure your user accounts by changing passwords and checking other accounts for additional suspicious activity.
2. Set Rates or Limits on Login Attempts
Setting limits on the amount of login attempts a user can have can go a long way toward preventing ATO attacks. In addition to restricting the amount of login attempts, setting up a timeframe limit or a block period for too many attempts can also stop ATO attacks. This type of prevention method can increase account security and help stop a brute force attack from bots in its tracks.
3. Send Notifications of Account Changes
In an ATO attack, threat adversaries can also make account changes to ensure the user is unable to access the account. To better safeguard your business from an ATO attack from happening, setting up notifications of all account changes can resolve unauthorized access faster. Small businesses can establish notifications in the event of password reset, authentication attempts, billing or account information changes, etc. These alerts are often real-time and will notify you of any attempted access or changes to your user accounts.
4. Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
Two-factor or multi-factor authentication can be the best line of defense in the event of an attempted ATO attack. The goal of these authentication methods is to add an extra layer for user accounts that access your systems and networks. Should any of your user accounts be breached and credentials be exposed, 2FA or MFA will require those attempting to access those accounts to authenticate. These authentication methods can include apps on user devices, or a code being sent to the user email address or phone number associated with that account.
5. Web Application Firewall (WAF)
Web application firewalls can provide an added layer of security to protect multiple web applications. WAFs can support blocking and filtering malicious web traffic along with bot mitigation against brute force ATO attacks. WAF’s can also help your business detect suspicious behaviors and limit the amount of network traffic from a singular IP address.
6. Prevent Account Takeover with ATO Prevention Software
ATO prevention software is designed to help safeguard individuals and organizations, including small businesses, in the event of a possible account takeover attack. These types of prevention software programs work to provide businesses with real-time notifications, credential screening, and bot protection. Many of the ATO prevention software solutions on the market will also support businesses by providing account isolation in the event of possible suspicious activity and user behavior analysis if an account is compromised. These tools can be a great resource for small businesses to further protect them against compromised credentials and stop an ATO attack from happening.
ATO attacks can be gravely damaging to small businesses of any kind in any industry. They can halt operations, negatively impact revenue, and be detrimental to business reputation, among many other consequences. Implementing multi-layered security controls for your small business can reduce their risks of an ATO attack. These controls can include strong passwords, regular user account monitoring, and stronger authentication measures can stop ATO attacks from taking place. By taking these steps to prevent ATOs, you can rest easier knowing that your small business is more secure.
Protect Your Business Today
SMBs around the globe have turned to SentinelOne Singularity™ Control to proactively resolve modern threats at machine speed. Request a free 30-day trial to see how SentinelOne can help you protect your business against every kind of threat, including ransomware and malware.
