I was recently contacted by a client who was in the midst of an account takeover. The individual noticed they were having some suspicious activity on an e-commerce site. Purchases they didn’t make, and refunds that were requested, but they didn’t request, some emails that weren’t making sense, and games they didn’t purchase on Xbox.

Someone was in their accounts.

Questions

When approaching these situations I focus on the Kill Chain (Contain→ Investigate → Remediate → Monitor) approach for an active breach. I’m sure there are other ways, and doesn’t have to be followed religiously, but for me, helps me lay a framework out for a person going through this really negative experience.

So we got started, I asked them the typical questions when dealing with these situations, so I could identify the root cause, so we could fix it and remove any persistent threat:

• Do you use the same password or password variations for these accounts?

• Do you have MFA on these accounts?

• Do you have Microsoft Defender or anti-virus installed on your computer?

• Did you change your passwords after you noticed it may have been breached?

• Have you noticed anything after the password was changed and you used that system?

• Do you use a password manager?

• Do you use that computer to manage banking items?

• Did you use a different computer to log into these accounts?

These, among other questions, let me get a baseline and identify what’s going on and what steps I need to take to resolve the issue

To me, it sounded like a password breach, reused passwords or malware on the system, these are some of the most common causes when seeing multi-account breaches like this.

An argument I’ve heard about password reuse from some people in occasional chat is that they will use “a super secure” password on all their “super secure” things, like banks, e-commerce sites, 401k accounts. That has got to be the poorest excuse for password management I’ve ever heard. Bad actors know this and that’s the first thing they try. They gain access to a tertiary item, something they can’t gain any valuable information, and then use credential stuffing using that password or variation of that password to guess other account passwords. Don’t. Do. It!!

I searched the email address in https://haveibeenpwned.com/ and found that there were in fact, many breaches this email address has been part of, and more likely than not, the password was a variation of one that was breached.

A better approach here that I’ve found is having a password manager with dark web monitoring. I like 1Password’s monitoring because it will identify the specific accounts and let you know if that account has been part of a breach, and identify that the password hasn’t been changed since the breached was announced. Many other password managers now have this feature, but I’ve only used 1Password, and it definitely helps share why password management is so important.

Contain

So we got started. I told the individual not to use the laptop, just in case it was malware on the device, so use another device, like a phone or other computer. While it’s not sure-fire, definitely one of the easiest ways to ensure some protection over malware.

I re-scanned the new device with Windows Defender to ensure no malware was on the new device, then we got started.

We wanted to make sure there was no further access happening, so we go on and changed the passwords and enabled 2FA on the users M365 and e-commerce site. I only focused on those since those was the only sites with indicators of compromise. Don’t worry, I always have homework when I’m approached about these events, and one of the items on the homework list is to change all re-used passwords, and best case, rotate all passwords (although thats easier said than done), although I focus on important passwords, like bank accounts, credit cards, payment services or the like.

Contain done. All I was really interested in this stage was to protect the current assets, and remove continuous access.

Investigate

So moving to investigate, the question is how. In this case, I was sure the method was via password re-use or malware, so we dug further.

On the M365 service, I was able to check previous logins and did see some unusual activity. The bad actor was using a VPN since the handful of logins were from a few locations bounced across the US at unusual times, like 3AM. That was telltale sign that there were bad actors on the M365 account. This also led me to believe that it was a password breach rather than a device breach, otherwise I would have seen login times at odd times on the same device, although thats not always a sure-fire result.

Next I checked the e-commerce site. The e-commerce site did not have any login history or devices, so had to change the password and leave it at that.

Remediation… Side Note

A side note, before diving into remediation… It’s interesting. A discussion I’ve had with some people about managing a cybersecurity event for individuals is why should I pay for cybersecurity remediation services? Why not just buy a new device? Buying a new laptop is like $400-$600. My services are cheaper than many but not inexpensive. That’s a real cost they are considering, and I get it.

I always say that if the breach was contained to the device, and I can tell by an indication of compromise, I’d recommend resetting the PC, the cheapest and easiest part of the job. But usually, with many of these breaches it’s poor cybersecurity hygiene or plainly being unaware of security features that should be enabled that caused the breach, and educating and resolving the issue is 90% of the work.

We live in a hugely interconnected world, and the idea that it’s “only a device breach” isn’t really an approach cybersecurity experts can take with more living up in the cloud.

Remediate

In this case I was able to do much of the contain and remediate at the same time. Checking the login history, changing passwords, and enabling MFA on the account.

Next, I checked the computer, even though I was sure it wasn’t the device that was breached since I found VPN use at random times, I still thought I’d check it out.

I did a Windows Defender Quick & Offline scan and found nothing on the device. I also did a Malwarebytes scan, just to have a different scan on the device. I’m sure there are better tools out there for malware scans, but because of the wide market, I just picked another one and went with it. They all technically have 90+ something detection capabilities without getting into the weeds. Most of this data is based on either heuristics, or open-source threat detection sources, at least in my very surface level understanding of threat intelligence. Either way, new scan completed.

Didn’t find anything on the device.

Password changed on breached sites, and system scanned for malware. Remediation complete.

Monitor

After that I asked them to monitor their account for any other suspicious activity, although I was pretty sure we were able to remove access to the accounts that had the main indicators of compromise, so this had been complete. I always try to follow up in a week or two to see how things are going, just in case there was something else to look at further.

Root Cause Analysis

A bad actor was able to use credential stuffing to guess both the victims e-commerce site and email passwords. Because MFA was not enabled on either, they could easily get in without confirming a second factor. The bad actor set up rules in M365 to remove any offending evidence, although the way some email inboxes are inbox 10,000, some victims may not even notice that they were breached.

Then the bad actor was able to create unauthorized changes on the e-commerce site, returning items the victim purchased by claiming they were not delivered or not received and putting the refund to a gift card they were able to use for other items. It was confusing why they returned items, to then purchase more items using the gift card and ship to the victims address. Perhaps it was a brushing scam, where someone would return legitimate products and purchase products the bad actor was trying to promote and write reviews using the breached account. Thats the only thing I can think of.

For M365, the bad actor was able to purchase a game as a gift using the victims account and send it to an email address they controlled. The bad actor was also able to add themselves to the family account in an attempt to maintain persistence, but the way Microsoft has family accounts set up doesn’t seem like they were able to get very far there, there isn’t very many way (at least that I found) that a family member can access details of the owner account, including credit card details and shared files, unless the bad actor was able add themselves to the main account holders OneDrive, which I didn’t see any evidence of that.

The unfortunate part is when we reported the account to Microsoft, they said they could not shut the account or classify the account as fraudulent because the account wasn’t verified. I don’t understand how accounts can accept gifts that haven’t been verified? Seems like such a simple thing to reduce fraud, but what do I know…

What I think was happening in this case is the account had the game purchased then the account was sold with the game attached to it, so the bad actor was a broker for the account itself, being able to make some money on the sale of an account with the game.

They would also set up a rule to auto-delete or forward and delete changes made to the account, so once the victim re-gained access or even started noticing the oddities, they wouldn’t see anything in their inbox because the rule was set up to auto-delete the offending emails.

What Can You Take Away from This?

So what can you do to make sure you’re not the next victim of these types of account takeovers?

Enable MFA/Passkeys

Always make sure MFA or passkeys are enabled with all accounts. Tell your mama, tell your granpap, tell your gigi, help them enable it on their accounts, and also make sure its enabled on your account. Not sure what accounts have MFA or passkeys? 1Password has a neat feature that shows which accounts have MFA you should enable.

If you don’t have access to 1Password, this site is a decent open source site with a way to access MFA instructions you can point your friends or family for many of the most popular sites.

Use Unique Passwords

Don’t ever be lulled into the idea that “my account isn’t worth it”. Because it is. That old adage “You don't have to outrun the bear, you just have to outrun the person next to you” is very accurate with cybersecurity breaches. Don’t make it easy for a bad actor, most of the time they are just checking the doors and seeing which one was left unlocked.

Use a Password Manager

I know password managers can sometimes be a bit of a learning curve. Unfortunately modern cybersecurity practices has deemed this one of the better ways to manage the billions of accounts they want us to create. Either way, after the learning curve, using a password manager is some of the best ways to continue good cybersecurity hygiene.

While many browsers have auto-save password features already in them, their track record on securing that information is dubious at best. Although they are getting better, its a pretty mixed bag, sometimes leaving you less secure than not having a password manager due to the way they save passwords.

Good password managers usually have:

• Password Hygiene Dashboard - Many password managers have a dashboard, with dark web monitoring (monitoring password breaches), MFA accounts, reused passwords, and other things that you can do to improve your security. Taking these recommendations to heart will definitely improve your security standing.

• MFA & Passkey Management - Many password managers allow you to save passkeys or MFA codes directly to the manager. Yes. This defeats the purpose of “multi” in the multi-factor or multi-device side of account security, but for many convenience is more important.

• Random Password Generation - Always use a random password! If you must, use passphrases if you need to remember password. If you want to learn more about why you can read about it here. Either way always make them unique.

• Auto-Fill - Enabling you to autofill passwords to sites without much interaction can be a nice feature to make logging in a breeze. Although you do have to be careful with this feature with a new polymorphic browser extension vulnerability some password managers don’t want to fix.

• Good Track Record - This one is a bit more sticky, but some password managers (I’m looking at you LastPass) have checkered history of poor security practices and poor breach management. In the interconnected world we live in, breaches are expected, but the way they handle the breach is where you can really tell what a company is made of.

Label High Risk Accounts

This is based of some learning from asset management work I’ve done, but labeling high risk accounts will make it easier to make sure you can rotate passwords quickly in the case of a breach. Many password manager tools have a tag you can add to passwords. Tagging them would help you make sure you can easily rotate passwords if a system breach or password manager breach did happen.

Thats It!

Yes, quite the list, and just remember cybersecurity is a journey, not a destination. You don’t have to sit down and do this all in one sitting, but even getting MFA on your account will help you be that much more secure.

If you want to add to the list, leave a comment! There’s always new things that should be looked at or reviewed, and learning based on other people’s experience is the way we all get more secure.