Corporate Account Takeover (CATO)
Corporate Account Takeover (CATO) is a type of account takeover (ATO), where the target account belongs to a business as opposed to an individual. Account takeover occurs when an attacker manages to gain unauthorized access to a legitimate account – access which he uses to carry out nefarious activities such as initiate a fraudulent payment or wire transfer, steal sensitive data, etc.
To take over an account, the attacker needs to gain access to its access credentials (i.e. username and password, security token, etc.). Access credentials are stolen using phishing attacks, phone calls, and even social networks. Another way to steal account credentials is to infect a user’s computer or mobile device with malware capable of recording login credentials and passcodes and reporting them back to the criminals.
Examples of corporate account takeover attacks occasionally make their way to the courts, where the full detail of the attack can be discovered. For example, the Patco Construction Company sued Ocean Bank after Patco’s computers had become infected with malware, allowing fraudsters to make six wire transfers using the Automated Clearing House (ACH) transfer system amounting to more than $588,000. Only $243,000 of the stolen money was recovered.
Patterns of cyber incidents over the recent period are pretty conclusive: the danger of CATO attacks is an evolving one. Over the past years, major enterprises across several industries have left open vulnerabilities to account takeover.
A landmark case of a CATO attack occurred in back in 2011, when the Maine-based firm Patco Construction sued Ocean Bank for negligent security practices. According to the claim, Ocean’s lax authentication protocols allowed attackers to obtain login credentials of senior Patco employees. This in turn granted them authorization to transfer over half a million dollars from Patco’s accounts.
Almost four years after the Patco – Ocean lawsuit, the case of the BancorpSouth fraud erupted in the news. BancorpSouth’s corporate client Choice Escrow and Land Title (LLC) had $440,000 stolen from their accounts after hackers obtained the login data of Choice’s executives. In this case, a federal court placed the blame on the fraud victim, stating that Choice had not done enough to secure its own authentication details.
Despite years of instances of corporate account hijacking, the world of IT is still largely exposed to the threat of CATO. Last month, Indian researchers discovered a series of vulnerabilities in multiple Microsoft applications, including Office 365 and Outlook. The flaws allowed hackers to trick accounts into forwarding them authentication details. As analysts at TechCrunch put it “Anyone’s Office account […] could have been easily accessed by a malicious attacker, and it would have been near-impossible to discern from a legitimate user.”
There are different ways to protect against CATO, depending on the type of account and how it is accessed. Generally speaking, the following protection measures are used:
• Multifactor authentication, which prevents access to an account without a second factor of authentication that is implemented as a separate hardware device (i.e. smartcard, OTP token, biometric sensor, etc), or installed/stored on a separate computing device – typically a mobile device belonging to the accountholder.
• Phishing prevention solutions that aim to prevent credential theft.
• Malware protection to prevent malware-based credential theft.
• Fraud prevention technology that analyzes transaction originated from an account, to identify the anomalous ones that do not follow normal patterns, and that may indicate fraud.