Account Aggregation
Account aggregation is the compilation of multiple accounts into an intermediary system. Account aggregation can be carried out by one user merging information from several applications, or to combine the data of many users of a single system.
Aggregation can be carried out with completely legitimate intent and is often used to simplify how the consumers access the information in question, whether that be aggregated social media, email or bank accounts.
A bank may provide the service of uploading information from other financial applications. However, similar to other aggregated services, you are not able to view your individual accounts in isolation – they are only shown as one combined account that links all associated logins together. This allows attackers who have achieved access to one of these accounts or systems to also gain access to the aggregated information.
Threat actors target a myriad of sectors, including financial services, entertainment, government, retail and technology, to access and misuse the account holder’s credentials, payment details and medical information.
Financial services are particularly susceptible to account aggregation attacks, with attackers commonly targeting financial advisors, wealth managers and investors for their unique access to customers’ login credentials, monetary and banking data. When aggregated, this exposed information can pose a significant threat to the targeted organization and its customers.
How account aggregation works
Aggregated data is often accessed through the use of a compromised account.
An attacker will set up an aggregator, or aggregation server that has been configured to work with clients in different sites (e.g., social media apps). The attacker then creates a bogus email address and password for the victim’s email account which allows them access to all emails sent and received by both personal and company accounts from one location.
The hacker can now send messages as if they were coming from any number of other accounts such as their own, customer service personnel or IT support staff within the organization. This tactic enables attackers to provide false updates on behalf of legitimate users, trick surfers into revealing sensitive information via phishing pages or infect devices with malware by sending links to malicious sites.
This type of attack is often used against business email accounts, which are typically the most common account on a company network and have access to sensitive information about employees or clients that may be valuable for hackers. This technique can also provide attackers with access to other enterprise systems such as servers containing personal data.
The attacker will then use this aggregated view into their organization’s activity in order to execute targeted phishing attacks where they pose as somebody within the organization – an IT support person or customer service agent, even if it was just from social media interactions beforehand – and send specially crafted messages designed to convince recipients that they need them to click a link related specifically to one thing like resetting passwords (or sending a password reset link) or install malicious software.
The attack can be quite effective because the attacker knows exactly what to say and how to target the person, so they know that individual is likely not going to ask for verification before clicking on the provided link.
This type of attack will often look like an email from somebody within your company who has been out sick but needs you urgently access their account in order to update something with regards to their absence (their doctor appointments). This scheme was used by hackers targeting high-value targets such as celebrities where emails were sent pretending it was coming from assistants, managers or even other celebrities asking for login information in order to prove authenticity. The attackers then use that data breach opportunity to obtain more credentials inside the company and eventually use that information to steal money.
Account aggregation attack example
The attacker has obtained some credentials from the first victim, and has used them in order to log into another service which they then exploit for further data theft (e.g., sending emails as if they are coming from somebody within the organization). This is possible because accounts may have been merged or other personal details aggregated by one user’s activities with several services. The hacker can now access all of this person’s contacts, calendars, email history, etc. In short, account aggregation can be used to launch a phishing attack or for other attacks, and this is the new way of doing things.
Who is at most risk of an account aggregation attack?
Account aggregation attacks are typically carried out with the intent to identify valid accounts that can be exploited. Organizations, companies and individuals who have many online services in use will often find themselves at most risk of this type of attack.
International bank account holders who deal internationally should also stay cautious as fraudsters may try to steal money from them by moving funds between different banks they hold an account with via aggregated financial data.
How to prevent account aggregation
If you’re a company or individual whose information is likely already aggregated through other means, make sure that your employees know what phishing looks like when it comes in email form. You should be careful with any unsolicited offers, especially over email or on social media.
How to protect yourself against account aggregation attacks
Implementing application programming interfaces (APIs) that are dedicated to approved aggregators and appropriately secured ensures legitimate account aggregation activity is protected against automated threats.