Account Hijacking is where a hacker compromises a computer account that does not belong to them. Often these account hijackings are email accounts because they contain so much rich and valuable data. Then the hacker may use the compromised account to impersonate the account owner and breach additional accounts of people the Account Owner knows and who trust email from the Account Owner when its received by the unsuspecting recipient.
Generally speaking, account hijacking is done through phishing and social engineering attacks where a hacker sends a spoofed email message to a target and convinces them to log into a fake website which steals their account credentials. Other methods of account hijacking may include using a password guessing tool or simply purchasing exposed credentials on the dark web from previous successful website hacks such as those at Yahoo, Linked In, and Drop Box.
Oftentimes emails are linked to the user’s online identities at sites including social media accounts and financial accounts. Hackers can use the compromised account to steal the user’s personal information, perform financial transactions, create new accounts, ask the account owner’s contacts for money or help with an illegal activity.
None of these outcomes are what a user imagines when signing up for services online, it is always important to be aware of the cyber threats we face everyday.
Bug in ‘Sign in with Apple’ Could Have Allowed Account Hijacking
Related Terms: Phishing, Spear-Phishing
What should you do as an SMB?
These Account Hijacking attacks are generally done through phishing attacks, the most common way hackers gain access to your accounts. These attacks make it easy for hackers, as victims essentially hand over their sensitive information to the hackers, or allow them into their network when employees click on a malicious attachment. The number one way to defend against phishing attacks is through cybersecurity awareness training. Below we have created a list of what can be done to defend against phishing attacks.
- Train your employees on how to spot, avoid, and delete phishing attacks.
- Test your employees with CyberHoot’s Phish Testing attacks; re-train those that fail your tests.
- Purchase and train your employees on how to use a Password Manager. If you visit a phishing website and try to enter your password credentials using a Password Manager, you will NOT be able to.
- To protect the Internet from phishing attacks using your domain name, setup SPF, DKIM and DMARC records to block the receipt of emails masquerading as users sending phishing attacks under your domain name.