The Account Takeover Runbook

Victims of account takeover have a lot of work to do. Sometimes, “reset your password” is not enough.

Worse, that limited advice may cause them to be victimized repeatedly.

A good attack will retain access to an online account in a myriad of ways. Almost every product has tricky ways to maintain access that would survive mitigation from a simple password reset.

To really investigate an account takeover, you have to sit with a victim and walk through mitigation, and remember all of these little corner cases that can be tricky to clean up.

In the last six months or so, I’ve kept notes on most online webmails and social media for strange settings that need to be checked. I’ve broken it down here to be agnostic to service so it should be applicable for almost anything.

Start reviewing the account from a secure machine.

For most of these steps, you will want to eliminate malware as a factor. Grab a cheap Chromebook or use a machine that is outside of the current blast radius.

If you want to start by eliminating platform related attacks, you may want to scroll down to “Regressions” and approach this problem from there.

Remove SMS Dependencies.

Phone companies have an atrocious security record around SMS forwarding, porting, and SIM registering. Before going forward, you may want to consider setting up a Google Voice SMS number, or finding a more trusted phone for the victim. This may not be necessary if you can somehow rule out SMS or cellular related attacks.

Reset the password.

This step is complicated if you believe the victim’s webmail is also compromised. If this seems to be the case, you may be better off starting by locking down a victim’s webmail first. Otherwise an attacker is on even footing with you, and will regain access easily.

Enable Multifactor / Two Step / Two Factor / Login Approvals

If you’re comfortable receiving SMS codes for your victim, that will be helpful. Otherwise, OTP based multifactor is always preferred if a victim can manage it.

Inspect Sessions / Destroy Sessions

At this point, and throughout, you should keep an eye on any features this account gives you to observe sessions or changes in progress and make sure no adversary hops into the account while you are mitigating it.

As we run through these backdoor opportunities, an adversary will have a varying ability to get access back, while you are responding. So, depending on your breach, you may want to consider these in an order that reduces that opportunity for the attacker as much as possible.

Remove applications that are unnecessary, suspicious, or unfamiliar.

Nearly every company has an application platform you can authorize external access into an account with.

There are “in the wild” attacks that take advantage of application platforms to retain access to accounts, so these should be inspected on all suspicion of an account takeover.

These are especially nasty because they’re usually buried with lots of legitimate use applications.

You want to work with the victim and eliminate all applications that are not used or look suspicious.

This is usually the most frustrating part of account recovery. With Facebook this can be really hard, since many of these are used for authentication. If the victim is in serious trouble, you can consider working with them to start from scratch and eliminate it all.

Secure any linked accounts or remove maliciously added accounts.

Products like Instagram, Facebook, LinkedIn, etc, have a concept of “Linked Accounts” that will repeat content across services. Quickly check to make sure that any linked accounts are also locked down, or were not placed there intentionally. This may not matter as much depending on the content and whether it’s all public anyway.

Review recovery addresses for attack, or secure any existing accounts.

Many services have some recovery address feature in a not-so-obvious place.

Make sure this wasn’t changed during an attack, it would be a direct backdoor.

Remove unknown phone numbers or vulnerable phone numbers.

If phone numbers are added or modified in an attack, they’re often available for use in password reset processes.

Make sure this wasn’t changed during an attack, it would be a direct backdoor. Phone numbers can often have texts routed through various attacks, so consider eliminating this altogether, even if it is a legit number, just to reduce the unknowns.

Review forwarding and filters that are pushing data externally.

This is a tricky one with some accounts, as people will either have a ton of filters, or none. Some features will allow you to forward an entire account’s email offsite, like this one with Yahoo!

Much less noisy and what I see most often is the use of filters to delete account related email automatically. This could also be used in theory to forward reset emails for others to access, like with the GMail forwarding feature.

Additionally, within GMail, there are several other features to download mail. Any sort of export feature should be sought out and removed from any compromised account.

Remove any “Application Specific Passwords” that will bypass auth.

App specific passwords are generally created when you’ve got to authenticate something that must bypass multifactor auth, or simply can’t prompt the user for a password every time.

This feature is especially damaging in an account takeover scenario, because app specific passwords rarely, if ever, are destroyed in a password reset. This leaves simple access behind for an attacker pretty easily if they’ve created one.

Take a quick peek at any app specific passwords that have been made, since they will bypass a password reset and likely any multifactor protection you have set up as well.

Review devices that might be authenticated to the account.

Sometimes “Devices” might be an important aspect of multifactor or authentication. For instance, you’ll see devices in iCloud that will be a part of authentication. Keep an eye out for any features like this.

Facebook: Make sure “Trusted Contacts” was set up intentionally.

Facebook has a feature to allow you to regain access to your account via trusted friends. If this was not set up by the victim, it would be problematic and allow for future access.

Facebook: Make sure “Legacy Contact” was set up intentionally.

Similarly, in Facebook, you can have an account transition to someone else upon memorialization (if Facebook receives proof that you’ve died).

Make sure this is not set to anything unfamiliar to the victim.

Profile Picture Login

Facebook has a “Profile Picture Login” feature you should make sure is not authorized on any devices that are unknown.

Upon a regression, reconsider the vector.

If a victim is compromised repeatedly after combing through their accounts and removing malicious access, there may be an underlying platform issue to consider.

Extensions

Review extensions in the browser for anything unfamiliar or unused. Keep in mind that seemingly innocuous extensions, intentionally installed by the victim, even if they are tech-saavy, can be bought and sold by miscreants and used for evil.

Host

If the browser is clean, sessions or passwords may be taken from the host itself from a malware issue. Malware cleanup out of scope from this runbook.

Keylogging

If dealing with a hilarious prank, or a physical threat, consider if a keylogger is installed physically on the device.

Network

If there are corporate MITM or other CA’s installed on the victim to perform a MITM attack, consider how they would be exposed.

Unreliable Victim

Is the victim logging into the malware ridden computer in the other room they haven’t told you about? Start over.


@magoo

I write security stuff on medium.