Risks of account hacking and how to counter them

Ruslan Rakhmetov, Security Vision

Digital communication is increasingly replacing interaction in the real world, and the spread of digitalisation, telecommuting and various online communication services is contributing to this trend. As a result, we have to trust the digital profile of our interlocutor - a friend, a colleague, a manager - when communicating via email, messengers and social networks. Of course, some characteristics of live communication are transferred to the digital environment (manner and style of communication, used turns of phrase), but in correspondence it is quite difficult to confirm the identity of the interlocutor using non-technical methods. Moreover, even in the case of voice and video calls, such verification can be complicated due to the widespread use of diphake technologies by intruders. Today in this article we will discuss what risks of account hacking exist, what the consequences may be, and tell you about methods of detecting and counteracting account compromise.

By account (account) we mean a set of data that is necessary to verify the authenticity of a user on a website, in an online service or in a mobile application: login (email address or phone number), password, answer to a secret question, code word, private cryptographic key (when logging in using certificates), fingerprint or face image (when logging in using biometrics), PIN-code, code from SMS or from a push notification. Such data is called credentials, and the process of verifying the authenticity of credentials is called authentication. One of the important objectives of cyber security is to keep credentials confidential (unknown to outsiders), and this is also one of the main principles of personal cyber hygiene.

The main personal accounts (accounts) for the purpose of cyber hygiene compliance, it is advisable to categorise them into several groups according to the level of criticality:

1. The most critical accounts:

1.1 An email account that is used to access government websites (e.g., for Government Services), financial services (e.g., bank and fintech service websites), or websites that process a large amount of personal information, real personal data, and payment information (e.g., social networks, messengers, insurance and medical company services, taxi ordering applications, delivery services, gaming platforms, streaming services, online cinemas). With the credentials for such a primary email, an attacker can gain access to a critical service through the password recovery functionality, since the link to restore access and set a new password usually goes to the email used during registration. In addition, the primary email account can store a lot of personal information, including photos, documents, and correspondence, which can be used for blackmail, selling the information on the black market, or organising sophisticated phishing attacks against people in the original victim's social circle. Losing access to the main email account can also lead to the theft of a ‘digital identity’, i.e. obtaining the full set of data necessary to register in any service without personal presence. For example, attackers can reissue a SIM card (by finding an old power of attorney, passport data or signature sample in the mail archive), gain access to Gosudservices even if two-factor authentication by SMS code is enabled, make a loan or subscribe to a carsharing service.

1.2 Accounts for access to critical sites and web services listed above - government, financial, medical services, social networks, messengers. By gaining access to credentials, attackers can withdraw available funds (including cryptocurrency and quasi-currencies such as reward points), arrange loans, take advantage of loyalty programmes of the attacked user, obtain personal data, including medical records, to blackmail or sell the obtained information on the data black market.

1.3 Account for access to telecom services (mobile, internet). Unauthorised access to the personal account of a user of telecom services may lead to the compromise of other services - for example, a request for SIM card reissuance may be submitted through the ‘personal account’ of a mobile operator or forwarding of incoming calls may be set up (the last few digits of the number on an incoming call may be used as a second factor).

2. Accounts of medium criticality level:

2.1 An email account that is used to register for services of medium criticality, e.g. websites and applications of shops, tour operators, discount and coupon services, etc. Such services may be initially perceived as not containing important information - for example, an application was installed to try its functionality, but registration turned out to be mandatory. As a result, there may be a situation when an application or service is liked, and more and more important information is gradually accumulated in it, but the account is registered to a secondary (not primary) e-mail address that cannot be changed in the application. Thus, the secondary email address can gradually and imperceptibly move from the category of unimportant to ‘main’, which increases the requirements for protection, and its compromise will allow attackers to gain access (by password recovery) to services that have become important.

2.2 Accounts for accessing non-critical sites and web services. Similar to the situation with a secondary email address, an account for some initially insignificant service may have been created in a hurry, the password chosen was not complex enough, and the second factor was not connected. Gradually the service is used more and more often, important information is accumulated in it, but additional security settings are not remembered. Accordingly, the negative consequences of account compromise for such a service increase over time.

2.3 Accounts for access to forums, gaming platforms, ad placement services, dating sites and new social networks that are still gaining popularity. Having created an account on such resources for a one-time operation, the user can start actively using them in the future, accumulating a large amount of sensitive information, bonus points or quasi-currency. For example, ad placement services may publish data that speaks about a person's wealth or interests, gaming platforms may gradually accumulate in-game currency that can be converted into real money, and dating sites may transmit personal data or personal information that attackers can use for blackmail. On forums and various sites for thematic communication during a discussion, a user may accidentally disclose sensitive personal information or post a photo of himself, which can also be used by scammers and blackmailers.

3. Least Critical Accounts:

3.1 A temporary email account that is used to sign up for a low value website or service. Such email addresses are used to perform one-time actions (e.g., view information, download a file) on sites that are not expected to be used in the future.

3.2 Accounts for one-time access to non-critical sites and web services. If a user believes with a high degree of certainty that he or she will not use a particular web resource in the future, the account for accessing it can be considered non-critical.

3.3 Temporary accounts without creating a full account. Some sites allow you to use the login functionality via a one-time SMS code without creating a password and specifying additional information about the user in the profile. On such resources it is advisable to use an additional (backup) phone number, which is not used for authentication on critical sites.

So, compromised accounts can be used to steal money, make loans, steal information for blackmail purposes or sell it on the Darknet, create elaborate phishing messages and dipfakes to mislead friends and lure them out of money, steal their accounts or spread viruses. ‘Abandoned accounts that have not been used for a long time are also of interest to attackers: firstly, passwords for such accounts may be found in various old data leaks, which simplifies the attack; secondly, even old profiles may contain a lot of valuable information or bonus points accumulated over a long period of time; thirdly, such accounts can be used for various phishing attacks, spreading misinformation or malware without the risk that the owner will be notified of a suspicious account; thirdly, such accounts can be used for phishing attacks, spreading misinformation or malware without the risk that the owner will be notified of a suspicious account. Careful attention should also be paid to unused SIM cards: you should check which services are bound to the old phone number and, if necessary, specify the new number in the services, because after a certain period of inactivity of the SIM card, the number may be transferred to another subscriber who may try to enter various sites with it under the account of the old owner.

In order to effectively resist account hacking, it is necessary to understand how credentials fall into the hands of attackers. The main ways are several:

1. Phishing attacks: users themselves enter login and password on a fake web page or provide the data to attackers by phone or messengers.
2. Data leaks: one of the hackers' goals is to obtain user credentials for the service under attack. Some services store logins and passwords in an insecure open form, which allows attackers to start using them immediately, but in most cases credentials are stored in hashed form, so attackers will need more time to obtain them.
3. Malware: Infostealers, spyware, keyloggers and other types of malware have the functionality to steal credentials, including those stored in browsers and password managers.
4. Bruteforce: this method is used less and less frequently, as most modern web resources prohibit password recovery after several attempts, but distributed hacker infrastructure can help attackers bypass these restrictions in some cases.
5. Data leakage sites, darknet forums, and initial access brokers. Dedicated Leak Sites are sites on the Darknet where cybercriminal groups distribute massive amounts of data stolen in leaks, and where valid accounts for various services may be found. Logs of infostealers and phishing resources may be sold or distributed on darknet forums, where valid accounts may also be found. Initial Access Brokers are trading platforms of attackers specialising in stealing accounts for various services (mostly corporate) and selling them on the Darknet, where the buyers may be other cybercriminals, such as ransomware cyber groups or cyber spies, who then freely gain unauthorised remote access to the infrastructure of the company they are interested in.

Thus, the following measures can be recommended to protect accounts:

1. Pay close attention to websites where you are required to enter credentials: phishing resources mimic real websites, copying the interface of genuine services with precision. You can use multi-factor authentication and passkey technology to secure your credentials, as well as some of our other recommendations.
2. To reduce the likelihood of using leaked credentials, complex and unique passwords should be set: if a web service complies with basic cybersecurity recommendations, passwords and other authentication information are stored in hashed form, so attackers will first try simple and frequently used passwords (e.g., qwerty or Moscow2024) to get passwords in the clear.
3. To reduce the likelihood of malware stealing credentials, do not use password managers built into browsers (especially those that do not allow you to set a master password). Third-party password managers also do not provide 100% protection, so you should visit critical sites in Incognito mode (this method also protects against cookie theft), do not save passwords for them in your browser or text documents, and enter them manually. Infostealers and other malware can not only steal saved passwords, but also have keylogger functionality, i.e. record all keystrokes, so even entering a password manually will not protect the user on an infected PC.
4. For different web resources, you can have different email addresses that will be used during registration. For example, use one email for different government services, another for financial services, and a third for social networks. This approach will help to minimise the consequences if one of the email accounts is hacked. At the same time, you should be attentive to the functionality of specifying a backup email address when creating a new email, as compromising the backup address will allow you to gain access to the mailbox you are creating.
5. You should be attentive to the functionality of logging in or registering on the site via Google, VK, Yandex, etc. accounts: on the one hand, this allows you not to create a new account and not to invent another complicated password, on the other hand, compromising the main account (Google, VK, Yandex, etc.) will also lead to compromising all related accounts on third-party services.