The Browser’s Role in Account Takeover Attacks

by Talon Research
March 8th, 2022

Have you ever received a notification that one of your accounts was logged into from a random location? Congrats—you were probably a victim of an account takeover scam. The bad news is you then had to immediately change passwords for all your critical services.  

The good news is that next time such an attack can be prevented, for it most often starts in the browser. But before presenting a solution, here are ways in which an account takeover occurs by way of a standard unprotected browser. 

What is an account takeover? 

An account takeover usually refers to a bad actor gaining authenticated access to an online account belonging to a valid user. A common threat actor goal is to get some easy money, such that those businesses most often targeted are financial institutions and eCommerce companies.  

Such organizations attempt to keep a high level of trust with customers; failure to maintain that could destroy their business over time. Thus, each needs to truly validate who each user is behind any activity, but accurately IDing an authorized person in our digital world can be significantly challenging. 

The data leakage blast 

Many account takeovers start with credential leakage—stolen sets of valid credentials existing in the wild that are readily available to all comers. A threat actor can leverage these to perform such an attack. 

Companies are breached every single day, exposing numerous sets of valid credentials. One compilation containing 82 billion passwords was leaked a few months ago on a well-known hacker forum in what appears to be the largest collection of all time. Here is a list of the largest breaches of all times: 

This makes account takeover easier than ever—most probably by way of a brute force attack. Such credential availability has permitted account takeover fraud to thrive.  

Account takeover by brute force 

Once a bad actor gets access to a list of user names or email accounts (usually via the dark web) without the corresponding passwords, they can initiate an automated brute force entry (passwords submitted in succession by bots) until they successfully log in. 

Barracuda Networks research reveals that bad bots accounted for 39% of internet traffic in the first half of 2021, with some being used for account takeover purposes. Such automated attacks are why well-secured websites limit the number of login attempts. 

It’s all too easy for an attacker (or their bots) to guess commonly used passwords such as “1234567,” “qscwdv,” or “Password,” along with their hashes. Or users might use ordinary short words as their passwords, thereby permitting a dictionary attack to easily succeed. To thwart this type of attack, we’ve seen strong passwords come to the fore; these include mixed-case alphabet characters, numerals, and special characters. 

Account takeover by phishing 

Old-fashioned credential phishing and social engineering remain effective ways to obtain a victim’s password. Phishing usually comes by way of email messages, text messages, or attachments containing links to fake websites that mimic legitimate ones. Via social engineering, phishing sites get users to log in to what they think is a genuine site, giving hackers their credentials unknowingly. Spear phishing is a more sophisticated method that’s particularly hard to catch, as it’s highly targeted and seemingly realistic. 

Buying credentials on the dark web 

Cybercriminals don’t need to be sophisticated anymore. They only need to buy stolen credentials for a targeted platform from a site such as Genesis Market. 

This example illustrates how any bad actor, even one who is highly inexperienced, can purchase credentials on the black market for almost every well-known service. The right-hand column shows the price for each bot, with prices increasing as a bot offers a higher number of credentials. Such bots sit on a user’s endpoint or in their browser and collect all of their credentials during all login actions.  

When a bad actor has obtained a valid username and password combination for one site, they likely can hack accounts at other sites as well. And they might scale up their attack by using the same credentials at multiple banks and eCommerce websites. 

If the hacked user has reused the same username and passwords for additional sites, the attacker has a free pass to them as well (and the user will have to painstakingly restore and change all of their personal accounts). 

Account takeover with no credentials by manipulating the website 

Sometimes a threat actor doesn’t even need user credentials. If an application is vulnerable to an XSS (cross-site scripting) attack, they can perform such actions as stealing a session ID that can lead to an account takeover. 

If the victim is using an application vulnerable to cross-site request forgery (CSRF) and their phone number and email fields are editable within a given account, all the attacker has to do is: 

  1. Change those fields to the attacker’s phone and email address. 
  1. Request a password reset. 
  1. Take over the account.  

Afterward, sometimes an attacker will change the fields back to their prior values to hide their tracks. 

Next is a proof of concept (POC) published by a user on hackerone, a popular whitehat website. Many techniques can be used for an account takeover, several of which involve the browser: 

Account takeover by manipulating browsers 

The browser saves user credentials, along with other private details, in an encrypted form on the local disk. The riskiest situation is when a sophisticated attacker collects the usernames and passwords from the disk, decrypts them, then takes over the victim’s accounts. And a short glance at browsing history informs the attacker which bank the victim uses. 

Keylogging is another highly common method for stealing credentials from the browser. Installed and activated by an attacker, a keylogger records keyboard entries, often to steal passwords or other sensitive data. Google states that 788,000 credentials were stolen in this way over one year beginning in March 2016. 

Moreover, security researchers periodically discover malicious Chrome extensions “performing a malicious activity [ranging] from stealing usernames and passwords to stealing financial data,” says Etay Maor, senior director of security strategy at Cato Networks.  

A malicious extension can also redirect users to ads or phishing sites, collect browsing history, gather personal data such as birth dates, email addresses, active devices, and even download further malware onto a device. Such extensions can be created with malicious code from the get-go, or they can be updated with it once they gain a certain level of popularity. 

By stealing an access token from a vulnerable browser, a hacker gets immediate access to a service without having to fuss with credentials or even MFA—just like if you check the “Remember me” box and access the same website the next day. A common way to accomplish that is by stealing the cookie associated with that site. 

Adversaries can leverage OAuth authorization by constructing a malicious application that can grant access to resources using the target user’s OAuth token. Once such a token is granted, the application access token can provide long-term access to features of the user account. Since Auth0 recommends storing tokens in browser memory as the most secure option, a vulnerable browser can grant them to an adversary. Here, multi-factor authentication (MFA) won’t help the user since the presence of the access token means the user is already connected to the service. 

Protecting account takeovers 

Many ways exist to avoid account takeovers. Some of them include training to recognize phishing attempts, but others relate to enforcement on your various SaaS services: 

  • Apply MFA for any sensitive service.  
  • Use single sign-on (SSO) to avoid use of multiple passwords. 
  • Use strong, complex, and unique passwords.  
  • Enforce a policy for users to change their password every three months and not reuse prior passwords. 
  • Limit the number of login attempts before an account gets locked. This blocks any brute force attack even if it uses multiple IP addresses. 
  • Track connected device locations; alert when access is from an irregular locale. 

In addition, you can monitor threat intelligence feeds to identify users who are part of password leaks, as well as blocking indicators of compromise (IOCs) in the server. 

To mitigate browser-related risks, you can restrict access to enterprise services only by way of a secure browser only (such as TalonWork). You will prevent miscreants from stealing credentials, authentication tokens, or leveraging browser vulnerabilities or malicious extensions to perform account takeover attacks. 

Conclusion 

If you’re not one to write your passwords in a notebook, hide a sheet of them under your keyboard or in your back pocket, you might well be managing your passwords in your browser. You’re readily exposed to identity theft and account takeover attempts. 

Since account takeover can occur using a number of methods, preventing it at the first line of defense—the browser—is essential. TalonWork uses enhanced browser functionality to create a secure workspace, thereby helping to make your enterprise safe everywhere and at any time.  

Many companies can offer password management, but that means another third-party vendor has exposure to your users’ credentials—alongside the insecure browser. Instead, the TalonWork secure browser adds additional protection, such that the risk of account takeover from endpoints is significantly lower compared to standard browsers. Let us show you more about TalonWork in our demo

Be the first to know.