Account hijacking is when your email address gets hijacked by a criminal. The hacker then uses your compromised email account to impersonate you, the account owner. Your email account is linked to a number of online services including social networks and bank accounts. The hacker uses your credentials to retrieve your personal information and create new accounts, with the ultimate objective of performing transactions for financial gain. This happens very quickly. Before you know what is happening, your bank account has been drained or everyone connected to you on Instagram has received a request from someone posing as you to donate money to an illegitimate cause.
The most effective way to find accounts that have been hijacked is with User and Entity Behavior Analytics (UEBA). Why? Because as we’ve said before – you can steal an identity, but you can’t steal behavior.
How Does Account Hijacking Happen?
The most common techniques hackers use to hijack accounts are phishing, password guessing, malware, malvertisements, and keystroke logging. Attackers also exploit vulnerabilities through attacks such as Pass-the-Hash (PtH), brute force and remote execution to gain access to user account credentials. Incredibly, phishing is still one of the most prevalent account hijacking techniques.
Humans Click, Passwords Fail
We live in a world where people are just used to clicking on things and feeling secure doing so. Attackers today are devising ingenious ways to encourage people to believe their email link is legitimate. It is highly unlikely that anyone reading this has never clicked on something at least once that they shouldn’t have.
There are four types of phishing tactics used in account hijacking. Each is an unconventional control that injects trust into email, versus reducing trust by educating users not to trust email. A phishing email taxonomy traditionally includes:
- Domain Spoofing: This involves sending an email that appears to come from a legitimate and trusted email domain.
- Look-a-like Domains: These are registered domains that appear to look like a popular and recognizable domain, but often have one letter off, which the user does not recognize when reading the email message.
- Display Name Deception: This tactic involves the creation of email messages with a forged name of the sender, usually someone you know like your boss or CEO.
- Compromised Email Accounts: This technique represents the fastest growing tactic today, due to the billions of compromised credentials from email providers that have been breached. Phishing emails come from legitimate email accounts and email domains that are trusted by spam and phishing filters, and, in turn, the email is delivered unencumbered to the unsuspecting end user. This tactic represents the biggest challenge for enterprises today.
The Importance of UEBA to Detect Account Hijacking
One of the Top 10 OWASP (Open Web Application Security Project) vulnerabilities is related to the ‘Broken Authentication and Session Management’ scenario. This is where hackers exploit Pass-the-Hash (PtH), Pass-the-Token (PtT), Brute Force and Remote Execution to gain access to user credentials (passwords and hash). Such attacks can be detected using the underlying UEBA machine learning algorithms tuned to inspect various parameters like timestamp, location, IP, device, transaction patterns, high-risk event codes and network packets, to identify any deviation from the normal behavior of a particular account and the corresponding transactions.
This facilitates detection of any potential account hijacking or account compromise scenarios based on anomalous behavior patterns such as: abnormal access to high-risk or sensitive objects, abnormal number of activities, requests in a short time frame, activity from terminated user accounts or dormant accounts, PtH attacks and session replay attacks. Anomalies identified via clustering machine learning models and outlier analysis inconsistent with a user or peers’ normal behaviors are given risk scores based on predictive analytics to drive alerts, actions and case tickets.
- Detects anomalous behaviors beyond rules, patterns and signatures for account compromise, hijacking and sharing
- Provides 360-degree visibility for user accounts, access and activity for on-premises, cloud and hybrid environments
Stateful Session Tracking UEBA Use Case
In this use case, UEBA builds and tracks the user session state, even when a user navigates across heterogeneous resources or applications using different accounts and devices at different times. Leveraging machine learning, UEBA dynamically builds session correlation attributes used to create session context to link any subsequent activities based on a confidence factor. This enables the identification of valid IP switching due to transitions between wired and wireless networks, a workstation and a handheld/mobile device, or accessing enterprise resources from various onsite locations or remotely over VPN.
UEBA’s ability to track user sessions across these various parameters ensures a significant reduction in false positives while simultaneously delivering greater visibility into the sequence of events. It also provides the capability to drill down to specific activities performed by a user or entity while performing an investigation. This analysis also expedites the detection of session replay and hijacking attacks, highlighting any anomalous activity from a user session or concurrent sessions from the same account.
- Provides greater visibility into user activities across multiple resources or applications via with stateful session tracking
- Provides drill-down and raw log views for deep event analysis at the source
- Reduces false positives due to common scenarios like IP, account and device switching while performing day-to-day activities
- Detects session replay and hijacking attacks
Cloud Account Compromise, Hijacking and Sharing UEBA Use Case
Cloud Security Analytics addresses cloud account compromise, cloud account hijacking and cloud account sharing via API integration with SaaS applications, plus IaaS and PaaS. Visibility into Office 365 cloud applications leverages Microsoft Azure visibility for cloud infrastructure and platform information alongside cloud application activity data. The same applies to other popular cloud applications in AWS cloud environments. Identity and access management as a service (IDaaS) also plays a role for cloud environments.
The benefits of big data infrastructure with a flexible data model come into play to develop API data connectors for cloud data ingestion that may mimic on-premises functions in numerous ways. Utilizing advanced machine learning behavior models, cloud security analytics leverages this capability for cloud environments to detect account compromise, hijacking and sharing on-premises. The basic concepts of clustering and outlier algorithms to find anomalies based on normal baselines of the user and peers for predictive risk scores remains consistent with adjustments for data variety and quality. The data sources differ, and data ingestion is API-based for cloud environments.
- Detects account compromise, hijacking and sharing for cloud application accounts and privileged accounts for IaaS, PaaS and IDaaS
- Detects anomalous behaviors beyond rules, patterns and signatures for cloud account compromise, hijacking and sharing
- Combines cloud security analytics with on-premises security analytics for hybrid environment visibility in one UEBA platform
Account Hijacking Is A Serious Problem
Account hijacking has devastating consequences. If a criminal compromises your account, he can change the password for your email account and other accounts linked to your email. You can be locked out of all your services and applications in minutes. And, if your social media profile is compromised, the criminal can send your friends malicious links or files in an attempt to compromise their accounts, too. It’s a vicious cycle that can only be stopped with a mature UEBA solution.
Contact us today to find out more about Gurucul’s UEBA technology for detecting and stopping account hijacking.