What is Corporate Account Takeover?
Corporate account takeover is identity theft of a business where fraudsters steal employee passwords and other sensitive credentials to gain access to a business’s bank account or other accounts that contain highly sensitive information. Once they have access to a business’s bank account, for example, they can then initiate fraudulent ACH transactions.
According to Security Boulevard(3), there are six main industries in which companies are targeted by account takeover fraud. These six industries are:
Media and entertainment industry
Lately, there is a thriving parasitic ecosystem on the verge of overpowering the music and video streaming industry. Criminals work on a pretty straightforward model here by stealing login credentials from premium customers and selling them at a lower price for illegal access.
Account takeover attacks also threaten bank security, insurance companies, and other financial institutions. Fraudsters steal victim’s credentials or use phishing techniques to trick banks and gain complete control of millions of accounts.
The hospitality industry is a popular and easy target for fraudsters to deploy account takeover strategies. Hackers often seal reward balances and exploit them, resulting in the loss of loyal customers and damage to the brand’s reputation.
The sports industry is a lucrative business. With sensitive information, athlete negotiation figures, medical records, strategy documents, and intellectual property, fraudsters are on the lookout for loopholes to steal those assets.
Account takeover is a complex challenge for the retail industry too. Fraudsters make money from such attacks in a number of ways. Examples include ordering goods with the hacked account, purchasing gift cards, redeeming rewards points, and worst, selling compromised accounts on the dark web.
The gaming platform has always been on the account takeover radar. Cybercriminals steal in-game payment information and make illegal purchases. They use stolen account information to pull off phishing scams by luring other players into opening links with the free character or in-game currency.
Corporate account takeover should be taken seriously not just from those in the above industries, but in all business industries. Such attacks are one of the most dangerous and damaging cyber threats to companies and their clients in the world today.
Also Download – Whitepaper ( Top Trends Impacting Account Takeover Fraud )
Corporate Account Takeover Incidents
Even big companies that have access to all major fraud prevention software and systems can still fall victim to account takeovers.
In February 2020, it was revealed that sporting goods retailer Decathlon accidentally exposed more than 123 million records on an unsecured ElasticSearch server. According to a report by Alex Scroxton(4), the exposed data was discovered by Noam Rotem and Ran Locar of vpnMentor’s security research team and included sensitive information including employee system usernames, unencrypted passwords, API logs and usernames, and personally identifiable information relating to Decathlon staff.
In their disclosure, Rotem and Locar said, “The leaked database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information.”
A hacker hit the website of fashion retailer J. Crew in the spring of 2019(5) and accessed sensitive information in some users’ accounts. It wasn’t until this March, however, that the company notified customers who had their accounts unauthorizedly accessed and told them that personal information had been obtained by the third-party hacker, including the last four digits of credit cards, expiration dates of credit cards, billing addresses connected to those cards, order numbers, shipping confirmation numbers, and shipment status of those orders.
Jonathan Knudsen, the senior security strategist at Synopsis, advised affected users to engage in good cyber hygiene such as changing their password on other sites(6). “For users, there is nothing good about the credential stuffing attack at J. Crew, but there are some useful lessons to be learned,” he said.