ABCs of UEBA: H is for Hijacking

Account hijacking takes place when your email address is the target of compromise by a criminal. The hacker then uses your compromised email account to impersonate you, the account owner. Your email account is linked to a number of online services including social networks and bank accounts. The hacker uses your credentials to retrieve your personal information and create new accounts, with the ultimate objective of performing transactions for financial gain. This happens very quickly. Before you know what is happening, your bank account has been drained or everyone connected to you on Instagram has received a request from someone posing as you to donate money to an illegitimate cause.

The most effective way to find accounts that have been hijacked is with User and Entity Behavior Analytics (UEBA). Why? Because as we’ve said beforeyou can steal an identity, but you can’t steal behavior.

How Does Account Hijacking Happen?

Above all, the most common techniques hackers use to hijack accounts are phishing, password guessing, malware, malvertisements, and keystroke logging. Attackers also exploit vulnerabilities through attacks such as Pass-the-Hash (PtH), brute force and remote execution to gain access to user account credentials. Incredibly, phishing is still one of the most prevalent account hijacking techniques.

Humans Click, Passwords Fail

We live in a world where people are just used to clicking on things and feeling secure doing so. Attackers today are devising ingenious ways to encourage people to believe their email link is legitimate. It is highly unlikely that anyone reading this has never clicked on something at least once that they shouldn’t have.

There are four types of phishing tactics used in account hijacking. Each is an unconventional control that injects trust into email, versus reducing trust by educating users not to trust email. A phishing email taxonomy traditionally includes:

  • Domain Spoofing: This involves sending an email that appears to come from a legitimate and trusted email domain.
  • Look-a-like Domains: These are registered domains that appear to look like a popular and recognizable domain, but often have one letter off, which the user does not recognize when reading the email message.
  • Display Name Deception: This tactic involves the creation of email messages with a forged name of the sender, usually someone you know like your boss or CEO.
  • Compromised Email Accounts: This technique represents the fastest growing tactic today, due to the billions of compromised credentials from email providers that have been breached. Phishing emails come from legitimate email accounts and email domains that are trusted by spam and phishing filters, and, in turn, the email is delivered unencumbered to the unsuspecting end user. This tactic represents the biggest challenge for enterprises today.

The Importance of UEBA to Detect Account Hijacking

One of the Top 10 OWASP (Open Web Application Security Project) vulnerabilities is related to the ‘Broken Authentication and Session Management’ scenario. As a result, this is where hackers exploit Pass-the-Hash (PtH), Pass-the-Token (PtT), Brute Force and Remote Execution to gain access to user credentials (passwords and hash). Such attacks undergo detection using the underlying UEBA machine learning algorithms. They provide inspection on various parameters like timestamp, location, IP, device, transaction patterns, high-risk event codes and network packets. Tune them to identify any deviation from the normal behavior. This can be of a particular account and the corresponding transactions.

This facilitates detection of any potential account hijacking or account compromise scenarios based on anomalous behavior patterns such as: abnormal access to high-risk or sensitive objects, abnormal number of activities, requests in a short time frame, activity from terminated user accounts or dormant accounts, PtH attacks and session replay attacks. Anomalies identified via clustering machine learning models and outlier analysis inconsistent with a user or peers’ normal behaviors are given risk scores based on predictive analytics to drive alerts, actions and case tickets.


  • Detects anomalous behaviors beyond rules, patterns and signatures for account compromise, hijacking and sharing
  • Provides 360-degree visibility for user accounts, access and activity for on-premises, cloud and hybrid environments

Stateful Session Tracking UEBA Use Case

In this use case, UEBA builds and tracks the user session state. It does this even when a user navigates across heterogeneous resources. It also does this to applications using different accounts and devices at different times. Leveraging machine learning, UEBA dynamically builds session correlation attributes used to create session context to link any subsequent activities based on a confidence factor. This enables the identification of valid IP switching due to transitions between wired and wireless networks, a workstation and a handheld/mobile device, or accessing enterprise resources from various onsite locations or remotely over VPN.

UEBA has the ability to track user sessions across these various parameters. Therefore, ensuring a significant reduction in false positives while simultaneously delivering greater visibility into the sequence of events. It also provides the capability to drill down to specific activities performed by a user or entity while performing an investigation. This analysis also expedites the detection of session replay and hijacking attacks. It begins highlighting any anomalous activity from a user session or concurrent sessions from the same account.


  • Provides greater visibility into user activities across multiple resources or applications via with stateful session tracking
  • Provides drill-down and raw log views for deep event analysis at the source
  • Reduces false positives due to common scenarios like IP, account and device switching while performing day-to-day activities
  • Detects session replay and hijacking attacks

Cloud Account Compromise, Hijacking and Sharing UEBA Use Case

Cloud Security Analytics addresses cloud account compromise, cloud account hijacking and cloud account sharing via API integration with SaaS applications, plus IaaS and PaaS. Visibility into Office 365 cloud applications leverages Microsoft Azure visibility for cloud infrastructure and platform information alongside cloud application activity data. The same applies to other popular cloud applications in AWS cloud environments. Moreover, identity and access management as a service (IDaaS) also plays a role for cloud environments.

The benefits of big data infrastructure with a flexible data model come into play. They develop API data connectors for cloud data ingestion that may mimic on-premises functions in numerous ways. In addition, utilizing advanced machine learning behavior models, cloud security analytics leverages this capability for cloud environments to detect account compromise, hijacking and sharing on-premises. The basic concepts of clustering and outlier algorithms to find anomalies based on normal baselines of the user and peers for predictive risk scores remains consistent with adjustments for data variety and quality. The data sources differ, and data ingestion is API-based for cloud environments.


  • Detects account compromise, hijacking and sharing for cloud application accounts and privileged accounts for IaaS, PaaS and IDaaS
  • Detects anomalous behaviors beyond rules, patterns and signatures for cloud account compromise, hijacking and sharing
  • Combines cloud security analytics with on-premises security analytics for hybrid environment visibility in one UEBA platform

Account Hijacking Is A Serious Problem

In conclusion, account hijacking has devastating consequences. Let’s say a criminal compromises your account. Now he can change the password for your email account and other accounts linked to your email. He locks you out of all your services and applications in minutes. And, your social media profile is a victim of account compromise too. Now, the criminal can send your friends malicious links or files in an attempt to compromise their accounts. So, it’s a vicious cycle that can only be stopped with a mature UEBA solution.

Contact us today to find out more about Gurucul’s UEBA technology for detecting and stopping account hijacking.

Prev: ABCs of UEBA: G is for Gurucul Next: ABCs of UEBA: I is for Insider Threat