Stealing corporate credentials has been a popular tactic among cybercriminals for many years now. Due to reused passwords, blurred boundaries between personal and professional accounts, and an expanded remote workforce, cyber vulnerabilities are everywhere.
What is Corporate Account Takeover?
A Corporate Account Takeover (CATO) is a kind of organization-specific identity theft where cybercriminals steal employee passwords to gain access to information within the organization.
Their targets include additional lists of employee credentials, financial information, and company data. Whether their goal is to employ malware or just have ongoing access to the company for nefarious reasons, the entry point is often a single compromised corporate credential.
CATO attacks are becoming more sophisticated and more frequent. Successful attacks can lead to ransomware, wide-scale data breaches, and reputational damage.
Who is a Target for CATO?
Everyone is a target.
Large, high-revenue companies like national banks or healthcare organizations are targets because their payoff–whether in terms of money or data– is often massive if hackers can complete a successful attack.
However small- and mid-sized companies are targeted too. Cybercriminals are catching on to the fact that smaller organizations may not have the resources to have allocated cybersecurity protocols or IT team members to keep things locked down.
CATO attacks are difficult to detect as criminals hack into accounts with legitimate credentials. Once inside the system, it’s easier for the hackers to leverage vulnerabilities, including escalating priveleges and data theft.
What Attacks Can Lead to a CATO?
How to cybercriminals get professional credentials in the first place?
Brute Force Attacks
Unfortunately there are many ways. There are lists–for free and for sale–of credentials on the dark web. Credentials compromised from third-party data breaches are well-known as a tool. Cybercriminals can obtain these lists to use Brute Force attack methods like credential stuffing. Bad actors will also use lists of weak and common passwords in password spraying attacks.
They can also leverage the now common knowledge that most users reuse their passwords, often with minor changes to satisfy password complexity requirements. If a cybercriminal is able to obtain a users social media password, they can use the additional information gained from accessing that account to get more personally identifiable information like email addresses and work location. From there, it’s a simple step to look up someone’s professional email and see if they use the same password cross-account.
There are additional ways cybercriminlas leverage social engineering too. Once in a system, a crimnal is able to pose as a trusted source from within the company. Requesting access, information, or sending other types of phishing emails is highly effective in these moments.
Who Is Responsible for CATO Defense?
In the past, organizations have blamed the use of compromised passwords on the account owners. In the same breath, many enterprises advise clients and employees not to reuse passwords; however, this education-based approach has not worked.
The main issue is that often, users do not have a way to know whether they are selecting a exposed password, whether they are creating a new password, or if compromise happens at some point down the line.
Blocking compromised credentials is a reasonable and necessary defensive measure and is the businesses’ responsibility. The use of compromised credentials is now a well-established and available practice and needs to be part of an active cybersecurity posture.
Steps to Take
Businesses need to engage with contemporary cybersecurity issues like CATO to protect themselves, their employees, and their customers. To do so they can:
1. Screen for compromised credentials at the point of creation and on an ongoing basis.
2. Create strong password policies in line with NIST guidelines.
3. Require MFA when possible.