Account Takeover Attack – Not for Detect-It-Yourselfers


Do you like to fix things yourself? Handy with tools at home or work? Maybe even tech-savvy and smart with online security tools?

Every company, even those who do not have an IT department, have someone who is the go-to person for IT issues. In this post we explain why companies should not try to collect data on their corporate credentials themselves. It requires a professional and should not be attempted by amateur Do-It-Yourselfers (DIY).

What is an Account Takeover?

An account takeover is a type of identity theft where cyber thieves gain control of a business’ or individual’s online account by using stolen passwords and other credentials.  For example, a takeover of an online account allows the attacker to log in to a corporate account, check the permissions to understand what level of access to sensitive data it has, and try to escalate privileges by attacking other company accounts.

Account Takeover Anatomy

Account takeover attacks are carried out by testing lists of stolen credentials against authentication services exposed online. Credentials that are still valid will pass authentication procedures and open the account to attack and plunder.

The three main methods for compiling credentials are:

The following chart layouts out the whole exploit methodology and sequence.

Risks Token Gathering Token Usage
  • Farming/Cracking
  • Cross-site scripting
  • Phishing/Malware
Attacker uses stolen session to impersonate victim and take over their session
  • Purchase via Darknet
  • Brute-forcing
  • Credential stuffing
  • Phishing/Malware
Attacker uses password to log in as victim

Credit to – Account Takeover Attacks: An Overview, Goran Begic, Sep 22, 2016

Detection is Prevention

For a corporation, protecting yourself means knowing if and when your employees’ credentials have been compromised. It is critical to detect when the compromise occurs so the credentials can be restricted or changed. This will render the credentials harmless and prevent the account takeover attack from succeeding.

There are two basic detection methods.

  1. Subscribe to a service or threat intelligence that will deliver real-time information about your employees’ leaked credentials. This is the Hire-A-Professional method.
  2. Try to put together an internal infrastructure that will collect leaked credentials. This is the amateur Do-It-Yourself (DIY) method.

Choosing The Right Detection Method

Hire a Professional Method

Use a service that monitors for compromised credentials and can be easily integrated with your existing infrastructure.

Such services detect if your employees’, partners’, or customers’ credentials become compromised. The service will know and report when monitored credentials are leaked into the hands of potential malicious actors. The service can be integrated with your credentials repository, (e.g. Active Directory), so that your organization can react quickly and reduce the time to discovery. Time to discovery is critical because it is a key factor for limiting the extent of the breach.

  • Monitoring services can be affordable and are effective. They do not burden your IT department manpower, and may actually reduce labor costs.
  • Monitoring services have access to the Dark Web. This is both talent and connections that your IT people are not likely to possess.
  • Monitoring services will isolate your company from exposure to threat actors while gathering compromised credentials data.
  • Monitoring services protect your company from the potential legal complications related to compromised credentials data gathering.
  • Monitoring services will perform all of the legal and regulatory tasks on your company’s behalf.

Do-It-Yourself Method

Setting up an organization for the collection of compromised credentials is a challenging endeavor and very likely it is not going to produce the desired results.

  • To be effective in collecting compromised credentials, your organization must be able to go deep in the Dark Web, to access invitation-only forms, and to collect credentials from foreign markets and actors.
  • Staff people must work full-time to build a reputation on the Dark Web to get the necessary access. Such people are usually former hackers. It is risky to hire such people because you never know when they may decide to change sides.
  • Supporting such an operation requires 5-10 people. This may be a significant labor cost increase to your organization.
  • While collecting compromised credentials, your organization will come into possession of Personal Identity Information (PII data) of other persons and companies. The is a legal risk associated with possessing such credentials.
  • While collecting leaked credentials, your team could become a target for attackers who want to combat your activity.
  • Your company will be exposed to a legal risk if your company’s repository of compromised credentials gets hacked and is used against another organization. The victim organization or the FTC could press a lawsuit.
  • Because leaked credentials are the PII of another organization, your organization must handle those credentials according to all PII regulations. This can be a costly and tedious process for your team.

VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession. Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.

We Accept Only Business Email Addresses – No Free or ISP Email Addresses

Please enter a business email address to obtain proper delivery of the product. If you do not have a business email address or experience any issues during the registration process, please send an email to