article featured image


Account takeover, also known as ATO, is the act of hijacking an existing account and using it for criminal purposes. This can include using someone’s credentials to make purchases, make fraudulent transactions, or steal information.

Account Takeover Examples

The five most frequently met account takeover examples are malware replay attacks, social engineering, man-in-the-middle attacks, credential cracking, and credential stuffing.

Malware Replay Attacks

When it comes to account takeover attempts, malware is a hackers’ favorite. Once your devices are infected, cybercriminals can either use the worm itself to steal login credentials or go the replay attack route.

Attackers capture HTTP data transferred from your network to a financial institution, modify it, and retransmit it during a replay attack.

Social Engineering

Hackers often employ social engineering to trick people into providing personal information. Impersonating contacts, posing as trustworthy institutions, imitating partner branding, and forming a relationship with ulterior motivations are just a few of the common techniques used in this area.

Man-in-the-Middle Attacks

Much like social engineering, man-in-the-middle attacks rely on a deception that is usually carried out in two potential scenarios. In one of them, cybercriminals intercept your communications with a legitimate third party, such as a bank or a supplier. You will then be redirected to a hacker-controlled domain and requested to provide login credentials or other PII.

The second possible scenario involves cybercriminals completely hijacking your session and taking action on your behalf without previously expressed consent. This happens when your network is unsecured, or when JavaScript vulnerabilities are left open to attacks.

Credential Stuffing or the Breach Replay Attack

Credential stuffing is an illegal technique in which hackers attempt to log in using stolen user names and passwords on a variety of websites and platforms. The name stems from the method itself, which is “best described as trying to stuff [the credentials] everywhere”, as we previously explained in an extensive article on the topic.

Credential Cracking

In contrast to credential stuffing, which has a larger emphasis, credential cracking is often utilized by hackers that target a single establishment. Cybercriminals may gain access to your account(s) by using the dictionary method or a brute force attack.

Account Takeover Detection

Here are some ways you can detect account takeover fraud following the above-listed account takeover examples:

Detecting a Malware Replay Attack

There are a few warning indications that your network has been infected with malware, fortunately. The following are a few of the most common:

  • reduced system performance;
  • suspicious increases in traffic;
  • unfamiliar error messages;
  • strange emails delivered from your account;
  • and unusual ads or pop-ups.

During Social Engineering

Here are a few ways to recognize if your company is being targeted by a social engineering campaign:

  • unsolicited emails or text messages;
  • suspicious payment or information requests;
  • and untrustworthy customer support inquiries towards clients.

Man-in-the-Middle Attack Detection

Your enterprise might have fallen victim to a man-in-the-middle attack if:

  • customers receive fraudulent communications from you;
  • IP, HTTP, DNS, or TCP anomalies appear in a session;
  • latency anomalies appear in a session;
  • TCP and HTTP signatures in a session do not match;
  • and suspicious parallel sessions are identified.

Credential Stuffing Attack Detection

Do you suspect you’ve been targeted by a credential stuffing attack? Here’s how you can tell:

  • fluctuating spikes in traffic;
  • irregular increase of failed login tries;
  • amplified number of logins;
  • non-existent credentials attempting authentication;
  • and an upsurge in bounce rates.

Credential Crack Detection

You’ve experienced a credential crack if you noticed:

  • a spike in account locks;
  • an unusually high number of failed login attempts;
  • and customer complaints regarding suspicious activity.

How Does the Account Takeover Process Work?

Regardless of the method that is used, account takeover as a process is not a singular event. It unfolds in six separate steps. These are infection, misappropriation, transaction, validation, observation, and execution. You can find them defined below.

#1 Infection

Using social engineering practices such as malspam, pop-ups, and so on, bots deploy malware to infect vulnerable machines in your network.

#2 Misappropriation

Criminals profit from the gap in security and steal login credentials, as well as other relevant personally identifiable information (PII).

#3 Transaction

Cybercriminals sell stolen credentials on the Dark Web for a profit, or keep them and pursue fraudulent activities themselves.

#4 Validation

Fraudsters validate the stolen credentials and PII to ensure that they are correct and can be used for account takeover fraud.

#5 Observation

Fraudsters then monitor the activity on the compromised account(s) to choose an ideal moment to strike.

#6 Execution

Hackers finally perform duplicitous account activities such as fake payments, illicit online shopping, or excessive billing for their financial gain.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Account Takeover Prevention

#1 Apply DNS Filtering on All Endpoints

Regardless of how strong your company’s password game is, fraudsters can still have a field day with your financial assets if your systems are not protected at the level of the Domain Name System. In fact, most of the aforementioned account takeover fraud methods have higher chances of succeeding if the DNS is not secured.

Heimdal Threat Prevention is a filter engine that is in charge of filtering all network packets based on the origin and destination of DNS requests. Thus, it stops man-in-the-browser attacks, finds zero-hour exploits, and keeps away data loss and data exfiltration.

Besides, there’s also Heimdal Threat Prevention Network, a solution we developed to assure network security at the online perimeter. As a result, your business will be able to stop account takeover fraud before it’s too late.

#2 Implement Two-Factor Authentication

Two-factor authentication provides an additional layer of security when logging into an account, and can thus stop account takeover.

Two-factor authentication can consist of:

  • Smartphone or token;
  • A piece of personal information, such as a PIN code or the answer to a secret security question.
  • Biometric data, such as facial, vocal, or fingerprint recognition.

#3 Implement Patch Management

Outdated, unpatched software is a huge liability for your enterprise, as it allows fraudsters to perform man-in-the-middle attacks and other hacking attempts. Patches are crucial to the cyber-health of any system. This is why we here at Heimdal Security have integrated Patch & Asset Management, a system that deploys updates and patches automatically, thus closing the security gaps in your organization’s network. What is more, installations can be scheduled at the convenience of your employees, minimizing disruptions and optimizing workflows in the process.

#4 Educate Your Employees on Cybersecurity

Proper credentials are your company’s first line of defense in the face of account takeover fraud. Therefore, you must educate employees on how to create and maintain a strong password. A strong password contains both lowercase and uppercase letters, features alphanumeric characters, does not contain easy to guess PII, and is changed frequently.

#5 Put Account Sandboxing in Place

You must also know what to do when an account takeover happens. If you consider an account suspicious, you better put it in a sandbox to properly check all of the activities related to this account. If something suspicious is found, you have also the option to block the account. This helps limit the damage from spreading further onto the network.

#6 Create an IP-block Listing

Login attempts from a single IP address are a strong indicator that someone is trying to perform a brute force attack to guess credentials. There’s also the possibility that the hacker behind this action actually employs stolen credentials to achieve account access. What can prevent this malicious activity is creating IP-block lists that block the IP when suspicious activity is detected.

#7 Limit the Login Attempts

You should set up a limit of login attempts for secure accounts in order to prevent account takeover fraud. This is a technique that works particularly on bot spamming prevention, which might be the result of the usage of multiple different IP addresses.

#8 Implement Privileged Access Management

A PAM tool will limit the time a user will have privileged access, at this access will be granted to them just to complete a specific task and restrict certain areas applying thus the principle of least privilege. Continuous and strict control over privileged accounts is the best strategy to take when wanting to stop hackers from taking over a privileged account.

Heimdal Official Logo
System admins waste 30% of their time manually managing user rights or installations

Heimdal® Privileged Access Management

Is the automatic PAM solution that makes everything easier.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

To Sum It All Up…

A strong password is your best friend when it comes to accounting takeover fraud prevention. Nonetheless, backing login credentials with an efficient suite of cybersecurity solutions will take your defenses to the next level. As cyber attackers become increasingly cunning and skilled in penetrating even the sturdiest of digital fortresses, it is your responsibility as a business owner to keep your clients and employees safe.

Has your business ever been targeted by an account takeover attempt? Do you have any thoughts on the topic? Let me know in the comment section below!

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

This article was updated by Andra Andrioaie in April 2022.

Author Profile

Alina Georgiana Petcu

Product Marketing Manager

linkedin icon

Alina Georgiana Petcu is a Product Marketing Manager within Heimdal™ Security and her main interest lies in institutional cybersecurity. In her spare time, Alina is also an avid malware historian who loves nothing more than to untangle the intricate narratives behind the world's most infamous cyberattacks.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo