Attack Technique
Account hijacking
Account hijacking is a method attackers use to take control of a user account and make their way into your network. Here’s what you need to know about this attack technique.
Definition
What is account hijacking?
Account hijacking, or user hijacking, occurs when an unauthorized party gains control of a legitimate user's account by stealing credentials, exploiting vulnerabilities, or bypassing prevention tools.
Once in control, attackers leverage the compromised account to progress through your network and launch further attacks.
How it works
How it works
Attackers use various methods to hijack user accounts. Common techniques include:
- Phishing attacks that deceive users into providing their credentials by impersonating legitimate services via email, phone, or fake websites.
- Credential stuffing attacks that use automated tools to try large numbers of username-password combinations, often sourced from previous data breaches. This method often works for users who reuse passwords across multiple apps and sites.
- Social engineering to manipulate individuals into divulging login credentials and other sensitive information
- Man-in-the-middle (MitM) attacks, where an attacker intercepts communication between two parties to eavesdrop on the exchange of sensitive data
- Malware such as keyloggers and Trojans that can be used to capture login credentials from an infected device.
Once they crack a password, the attacker eliminates the need to hack their way into your environment — they simply log in instead.
Why attackers use it
Why attackers hijack accounts
Attackers engage in account hijacking to gain unauthorized access to user accounts for malicious purposes. Account hijacking involves taking over someone's online account—such as email, social media, banking, or other services—to exploit the account's privileges and access sensitive information. Here are the primary reasons why attackers use account hijacking:
- Financial Gain: Access to banking or payment accounts allows attackers to steal money, make unauthorized purchases, or transfer funds to their own accounts.
- Identity Theft: Hijacked accounts often contain personal information like addresses, birthdates, and social security numbers, which can be used to impersonate the victim and commit fraud.
- Phishing and Spamming: Compromised accounts can be used to send phishing emails or spam messages to the victim's contacts, increasing the likelihood that recipients will trust and interact with malicious content.
- Data Theft: Attackers can access confidential emails, documents, or proprietary business information stored within the account, which can be sold or used for competitive advantage.
- Reputational Damage: By posting inappropriate or harmful content from the victim's social media accounts, attackers can damage personal reputations or undermine public trust in an organization.
- Extortion and Blackmail: Sensitive information or embarrassing content found in hijacked accounts can be used to blackmail victims into paying ransoms.
- Access to Other Systems: Many people reuse passwords across multiple services. Gaining access to one account can provide attackers with credentials to infiltrate other platforms, including corporate networks.
- Botnet Expansion: Hijacked accounts can distribute malware or participate in coordinated cyberattacks without the owner's knowledge.
- Selling Access: Access to compromised accounts is often sold on the dark web to other malicious actors who may use them for various nefarious activities.
Platform Detections
How to detect account hijacking attacks
Privileged accounts are a top target for attackers, and user hijacking is a popular method for gaining access. But with the right detections, you can find and stop hijacking attacks very early in their progression. Vectra AI uses advanced AI-driven detection models to do just that:
- The AWS User Hijacking detection shows you when it looks like an attacker is expanding to more users in your environment
- The AWS User Permissions Enumeration detection shows you when an attacker may be actively looking for privilege escalation opportunities.
Vectra AI also uses privileged access analytics (PAA) to closely follow accounts most useful to attackers. Together, these tools equip you to find and stop account hijacking attacks in minutes.
