The Account Takeover Runbook

Victims of account takeover have a lot of work to do. Sometimes, “reset your password” is not enough.

Worse, that limited advice may cause them to be victimized repeatedly.

A good attack will retain access to an online account in a myriad of ways. Almost every product has tricky ways to maintain access that would survive mitigation from a simple password reset.

To really investigate an account takeover, you have to sit with a victim and walk through mitigation, and remember all of these little corner cases that can be tricky to clean up.

In the last six months or so, I’ve kept notes on most online webmails and social media for strange settings that need to be checked. I’ve broken it down here to be agnostic to service so it should be applicable for almost anything.

Start reviewing the account from a secure machine.

If you want to start by eliminating platform related attacks, you may want to scroll down to “Regressions” and approach this problem from there.

Remove SMS Dependencies.

Reset the password.

Enable Multifactor / Two Step / Two Factor / Login Approvals

Inspect Sessions / Destroy Sessions

As we run through these backdoor opportunities, an adversary will have a varying ability to get access back, while you are responding. So, depending on your breach, you may want to consider these in an order that reduces that opportunity for the attacker as much as possible.

Remove applications that are unnecessary, suspicious, or unfamiliar.

There are “in the wild” attacks that take advantage of application platforms to retain access to accounts, so these should be inspected on all suspicion of an account takeover.

These are especially nasty because they’re usually buried with lots of legitimate use applications.

You want to work with the victim and eliminate all applications that are not used or look suspicious.

This is usually the most frustrating part of account recovery. With Facebook this can be really hard, since many of these are used for authentication. If the victim is in serious trouble, you can consider working with them to start from scratch and eliminate it all.

Secure any linked accounts or remove maliciously added accounts.

Review recovery addresses for attack, or secure any existing accounts.

Make sure this wasn’t changed during an attack, it would be a direct backdoor.

Remove unknown phone numbers or vulnerable phone numbers.

Make sure this wasn’t changed during an attack, it would be a direct backdoor. Phone numbers can often have texts routed through various attacks, so consider eliminating this altogether, even if it is a legit number, just to reduce the unknowns.

Review forwarding and filters that are pushing data externally.

This is a tricky one with some accounts, as people will either have a ton of filters, or none. Some features will allow you to forward an entire account’s email offsite, like this one with Yahoo!

Much less noisy and what I see most often is the use of filters to delete account related email automatically. This could also be used in theory to forward reset emails for others to access, like with the GMail forwarding feature.

Additionally, within GMail, there are several other features to download mail. Any sort of export feature should be sought out and removed from any compromised account.

Remove any “Application Specific Passwords” that will bypass auth.

This feature is especially damaging in an account takeover scenario, because app specific passwords rarely, if ever, are destroyed in a password reset. This leaves simple access behind for an attacker pretty easily if they’ve created one.

Take a quick peek at any app specific passwords that have been made, since they will bypass a password reset and likely any multifactor protection you have set up as well.

Review devices that might be authenticated to the account.

Facebook: Make sure “Trusted Contacts” was set up intentionally.

Facebook: Make sure “Legacy Contact” was set up intentionally.

Make sure this is not set to anything unfamiliar to the victim.

Profile Picture Login

Upon a regression, reconsider the vector.

Extensions

Host

Keylogging

Network

Unreliable Victim

@magoo

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store