Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Account Security

Account Security

Section titled “Account Security”

3 automated security scanners

Account Takeover Prevention

Section titled “Account Takeover Prevention”

Purpose: The Account Takeover Prevention Scanner is designed to detect potential threats such as credential stuffing, SIM swapping, and MFA bypass attempts by analyzing various aspects of a domain’s infrastructure including DNS records, HTTP headers, TLS/SSL configurations, and network ports. This tool aims to ensure robust security measures are in place to prevent unauthorized access and protect user accounts.

What It Detects:

  • Credential Stuffing Indicators: The scanner checks for the presence of critical HTTP security headers (strict-transport-security, content-security-policy, x-frame-options, and x-content-type-options) to mitigate credential stuffing attacks. Additionally, it identifies outdated TLS protocols and weak cipher suites that could be exploited in such scenarios.
  • Sim Swapping Vulnerabilities: By examining DNS records (TXT, MX, NS, CAA, DMARC) and analyzing HTTP redirects, the scanner can identify vulnerabilities that might allow unauthorized SIM card changes.
  • MFA Bypass Attempts: Ensures the use of strict-transport-security to enforce HTTPS usage, which is crucial for preventing man-in-the-middle attacks on multi-factor authentication mechanisms. It also validates TLS certificates and cipher suites to ensure secure communication channels.
  • DNS Configuration Weaknesses: The scanner looks for misconfigured SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting & Conformance), and DKIM (DomainKeys Identified Mail) records that could lead to security vulnerabilities. It also checks MX records for proper mail exchange server configuration.
  • Network Port Vulnerabilities: The tool identifies open ports on a domain that might be exploited for unauthorized access and detects services running on specific ports known for their vulnerabilities.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • url (string): URL of the website to scan (e.g., https://acme.com)

Business Impact: The effectiveness of this scanner is critical as it directly impacts the security and integrity of user accounts, potentially preventing significant financial losses and reputational damage associated with data breaches or unauthorized access attempts.

Risk Levels:

  • Critical: Identifies outdated TLS protocols (TLSv1.0, TLSv1.1) and weak cipher suites (RC4, DES, MD5).
  • High: Missing or improperly configured DNS records such as SPF, DMARC, and DKIM that could lead to credential stuffing and phishing attacks.
  • Medium: Inadequate HTTP security headers which might not effectively prevent credential stuffing attempts.
  • Low: Open ports on the domain that are unencrypted or running outdated services known for vulnerabilities.
  • Info: Informational findings such as minor misconfigurations in DNS records, though still important for a comprehensive security audit.

Example Findings:

  1. A domain with TLSv1.0 and RC4 cipher suites identified by the scanner could be vulnerable to critical attacks due to its outdated cryptographic settings.
  2. An improperly configured SPF record might allow malicious actors to spoof emails, leading to credential stuffing or phishing attempts that bypass security measures.

Insider Trading Detection

Section titled “Insider Trading Detection”

Purpose: The Insider Trading Detection Scanner is designed to identify trading pattern anomalies and unauthorized information access within a company by analyzing public records, OSINT sources, and job boards. This tool helps in detecting potential insider trading activities that may indicate misuse of non-public information.

What It Detects:

  • Breach Mentions: The scanner identifies mentions of data breaches, security incidents, unauthorized access, or compromised systems. Key patterns include “data breach,” “security incident,” “unauthorized access,” and “compromised.”
  • Tech Stack Disclosure: It detects job postings and other public disclosures that reveal the company’s technology stack, which can be indicative of insider knowledge. Example patterns include mentions of AWS, Azure, GCP, Kubernetes, Terraform, Ansible, Docker, Splunk, Datadog, Elastic, etc.
  • Certification Claims: The scanner looks for claims of certifications that may suggest compliance with security standards. This includes SOC 2, ISO 27001, PCI DSS, and HIPAA compliance.
  • Anomalous Trading Patterns: It analyzes trading data from public sources to identify unusual patterns that may indicate insider trading. These include “unusual trading activity,” “spike in stock prices,” and “large volume transactions.”
  • Information Access Anomalies: The scanner detects mentions of unauthorized access to sensitive information or data leaks, such as “unauthorized access to sensitive information,” “data leak,” and “exposure of confidential data.”

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com) - This is the main website address used for searching for breach disclosure statements, job postings, and other relevant public disclosures.
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”) - This helps in identifying specific company mentions in various public records and online platforms.

Business Impact: Identifying potential insider trading activities is crucial as it can lead to significant financial losses, legal repercussions, and damage to the company’s reputation. It directly impacts the security posture by ensuring that sensitive information remains protected from those who may misuse it for personal gain.

Risk Levels:

  • Critical: Conditions that could lead to immediate regulatory or compliance issues, substantial financial loss, or significant damage to the company’s reputation should be addressed with high urgency.
  • High: Conditions that pose a significant risk but do not immediately threaten legal or compliance issues, such as unauthorized access to sensitive information or data leaks.
  • Medium: Conditions that require attention but are less severe than those classified as high, involving potential risks related to technology stack disclosures or minor anomalies in trading patterns.
  • Low: Informational findings that provide insights into the company’s public presence and may not directly impact security unless they escalate in severity.
  • Info: General information about certifications and tech stack disclosures that do not carry significant risk but contribute to a broader understanding of the company’s digital footprint.

Example Findings: The scanner might flag instances where job postings mention advanced cloud technologies like AWS, Azure, or Google Cloud Platform, indicating potential insider knowledge of these systems which could be indicative of insider trading activity. Additionally, it might detect mentions of security incidents or data breaches that suggest a lack of adequate security measures within the company.

New Account Fraud

Section titled “New Account Fraud”

Purpose: The New Account Fraud Scanner is designed to identify synthetic identities, identity theft, and KYC bypass attempts by analyzing various aspects of a domain’s infrastructure, including DNS records, HTTP headers, TLS/SSL configurations, and network ports. This tool aims to detect potential vulnerabilities that could be exploited to create or verify fraudulent accounts without proper authentication.

What It Detects:

  • Synthetic Identity Indicators: Incomplete or inconsistent DNS TXT records, missing or improperly configured DMARC records, and the absence of DKIM records which may indicate issues with email authenticity.
  • Identity Theft Patterns: Outdated TLS versions (TLSv1.0, TLSv1.1), weak cipher suites (RC4, DES, MD5) in SSL/TLS configurations, and unsecured HTTP connections that do not redirect to HTTPS.
  • KYC Bypass Attempts: Inadequate security headers such as missing Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options. Misconfigured DNS records that could suggest domain spoofing or hijacking, and open ports that are not essential for the service, potentially indicating unauthorized access points.
  • Network Vulnerabilities: Unsecured socket connections lacking proper authentication, service fingerprinting vulnerabilities exposing server details, and insecure API endpoints without adequate authentication and authorization mechanisms.
  • Content Analysis: Suspicious redirects to external domains which could be phishing sites or malicious actors’ fronts, and malformations or suspicious content in HTTP responses indicating potential tampering or injection attacks.

Inputs Required:

  • domain (string): The primary domain under investigation, such as acme.com, for comprehensive analysis.
  • url (string): A specific URL within the domain, like https://acme.com/login, which requires detailed examination to identify potential issues.

Business Impact: This scanner is crucial for organizations aiming to prevent fraud and protect their customers’ identities by identifying weak points in the digital infrastructure that could be exploited for identity theft or account takeover. The findings can help implement stronger security measures and enhance overall trustworthiness in online services.

Risk Levels:

  • Critical: Conditions where outdated TLS versions are used, such as TLSv1.0 or TLSv1.1, which are highly vulnerable to attacks.
  • High: Weak cipher suites like RC4, DES, and MD5 that provide inadequate security for data transmission.
  • Medium: Inadequate DNS record configurations, particularly DMARC misconfigurations, which can lead to unauthorized access attempts.
  • Low: Minor issues such as missing Content-Security-Policy header, though this is still a significant concern as it affects the web application’s security posture.
  • Info: Informational findings about potentially malicious redirects or suspicious content in HTTP responses, which may require further investigation to confirm potential threats.

Note: Risk levels are inferred based on the severity of vulnerabilities and their potential impact on security.

Example Findings: The scanner might flag a domain with outdated TLS 1.0 for critical risk due to its extreme vulnerability, or identify weak cipher suites in SSL/TLS configurations as high-risk issues that need immediate attention to prevent data breaches.