Disorder in the Court: Unintended Consequences of ATO
The most common ATO threat that individuals and businesses imagine affecting them is their accounts getting hijacked- e.g. a threat actor uses credential stuffing to login to your netflix account, and enjoys some free entertainment on your dime (or sells the account for a few dollars)…or in a more serious scenario, accesses an employee’s corporate email to send phishing emails to other employees and gain access to the internal network to install ransomware.
But why would you worry about ATO happening to people who have nothing to do with you?
A recent FBI alert (as reported by Brian Krebs) highlighted an interesting and dangerous consequence of account takeover (ATO). As the FBI alert states, “cybercriminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests.” These email accounts are then used to make Emergency Data Requests, a type of legal requisition for information or action that bypasses much of the usual authorization process. The personal information obtained can be used for scamming, but the FBI warns that these requests can also be used to freeze and seize bank and cryptocurrency accounts.
While social engineering isn’t usually part of our immediate purview in the world of compromised credential research, these scams begin with a compromised email account from a government or law enforcement agency, which come from “mostly email-based phishing, and credentials that are stolen by opportunistic malware infections and sold on the dark web” according to Krebs’ article. It’s worth noting that the agency itself does not have to be compromised: because of credential and password reuse, cybercriminals may be able to take over an account merely because someone used their work email for something like a Spotify account, or to sign up for a gym membership, and re-used a compromised password.
Consequences of ATO: How to Hack Your Password
We may not be social engineers here at Enzoic (well, except perhaps the researchers assigned to infiltrate cybercrime forums), but we do know passwords. It may seem like a simple concept, but the amount of perpetuated misunderstanding around passwords out there belies the idea that even many cybersecurity experts really understand user behaviors and vulnerabilities. Every year we see at least a few types of “most popular password” lists, which rarely provide any new information, and can create a false sense of security. For example, the Identity Theft Resource Center’s Weekly Breach Breakdown on November 1st of this year repeated some misleading statistics and some dangerous advice on choosing passwords from sources that one would expect to be highly reputable. They reference this list of ‘most common passwords’ for 2024, which informs us that the most common password in 2024 is ‘123456’. But what does this actually mean?
If organizations and users are protecting themselves appropriately, then we have no way of knowing what the most used passwords are. These types of statistics are highly susceptible to confirmation bias, in that the weakest passwords are compromised the most, and thus most prevalent when looking for compromised passwords.
Compromised credentials are also constantly shared and re-shared in ever-larger aggregated lists that include passwords from decades ago, so if we count these each time we see them, the ones that have been around the longest will seem most prevalent. These days, the reality is that, even though password complexity requirements have been discredited and dropped by NIST, most applications have requirements that would no longer allow 123456. So all these ‘top passwords’ lists do is provide a false sense of security.
Myths About Password Cracking Timeframes
The podcast also repeats claims that ‘a 12-character password with just lowercase letters will take 1,000 years to crack.’ This is a rather arbitrary number that varies enormously depending on the type of hashing algorithm and amount of computing power used, but what it actually refers to is the amount of time required to calculate all possible combinations, i.e. to crack every possible lowercase 12-character password. The reality is far different. We humans are notoriously terrible at choosing passwords: we overwhelmingly use words from our native language, letter combinations that make pronounceable sounds, and strings that are easy to type on a QWERTY keyboard layout. This vastly reduces the actual amount of character space that is most likely to be used for passwords, and thus means that a non-random password stands the risk of being cracked much, much faster.
And due to password re-use, one of the first techniques that hackers try for password cracking is to use lists of previously compromised passwords (research indicates over 8 billion unique passwords). As so many have already been compromised, even things that far exceed the typical “complexity” requirements are likely to be extremely susceptible to fast cracking (if not outright vulnerable to credential stuffing).
Avoiding Dangerous Password Advice
The most dangerous piece of advice provided in the podcast is that your password should be “something you can remember.” As a general rule, the easier your password is to remember, the easier it is to crack, and the more likely it is to be susceptible to account takeover. The best passwords are next-to-impossible to remember in that they are highly random, and do not exhibit any of the patterns that make things easy for humans to remember. If you cannot make use of a secure password manager (not a browser-based password manager!) and must memorize your password, make sure that it is quite long, e.g. based on a phrase instead of a single word, and makes use of a wide array of numbers, symbols, and capital letters- not just a lone exclamation point, or number sequences like 123.
FAQs
1. What are the most dangerous consequences of ATO for individuals and businesses?
The consequences of ATO can range from personal account hijacking, such as unauthorized access to streaming services or social media accounts, to more severe impacts like corporate email breaches. In corporate scenarios, ATO can lead to phishing campaigns, ransomware attacks, or unauthorized Emergency Data Requests, which may result in the freezing of bank and cryptocurrency accounts.
2. How can social engineering amplify the consequences of ATO?
Social engineering plays a significant role in ATO by leveraging compromised email accounts from trusted organizations, such as government or law enforcement agencies. These attacks often exploit reused passwords or phishing schemes, enabling cybercriminals to conduct fraudulent activities like Emergency Data Requests or scamming individuals with stolen personal data.
3. What are the best practices to avoid the consequences of ATO?
To mitigate the consequences of ATO, avoid reusing passwords across accounts, use a secure password manager to create complex and unique passwords, and regularly monitor accounts for compromised passwords. Businesses should enforce strong cybersecurity practices, including multi-factor authentication, automated tools to remediate compromised passwords, and regular employee training to recognize phishing attempts and other ATO tactics.
AUTHOR
Dylan Hudson
Dylan leads the Threat Research team at Enzoic, developing and implementing cutting-edge threat intelligence infrastructure to help protect users and organizations from cyberattacks. When not at work, he can be found hiking and biking in the Rocky Mountains or playing traditional Celtic music on various stringed instruments.
*** This is a Security Bloggers Network syndicated blog from Blog | Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/blog/disorder-in-the-court-unintended-consequences-of-ato/
