Account pre-hijacking is similar to other types of hijacking in that the criminal attempts to gain access to an account that is not their own. The difference, however, is that the attacker creates the account at the target website in the name of someone else before they sign up themselves. For example, the hacker would take the email address of someone without their knowledge and use it to open a Facebook account.
As per the new research from Microsoft about pre-hijacking attacks, there has been a rise of these types of attacks in many websites. If we add this to the list of already extensive methods of breaching online security, the situation seems quite bad, and we can see that hackers have now employed a variety of new tactics to carry out their nefarious activities.
The owner of the account might then try to open an account with Facebook to find the email address has already been used. They would then continue to open an account linked to their address, at which point the hacker would use various methods to regain access to the account.
There are, in fact, five different methods of pre-hijacking attacks that were identified by the researchers. Vulnerability to these attacks is on the rise, and many websites and users are at risk from them. Microsoft has published the results of the studies in the hope it will raise awareness of evolving threats and prompt sites to take action.
Pre-hijacking attack attempts are all similar in that the attacker carries out an action before the victim opens an account on a certain platform. The target then regains access to the account and begins to use it, often adding information such as ID, address, password hints, and even payment details. At a later stage, the hacker will gain access to the account again, thus gaining access to all the information within.
But as mentioned, there are five distinct types of attack, here are some explanations of the most common.
The Classic-Federated Merge
In this kind of attack, the criminal uses the victim’s email address to open an account. When the victim creates their own account, often the platform will merge the two together, giving unsecured access to the attacker. This means they can access payment information, change passwords, or carry out a variety of actions to the detriment of the user.
Unexpired Session Identifier Attack
This kind of attack targets users that have not signed out of their account, but the password is changed by them. The criminal or nefarious actor opens an account using the victim’s personal information and then keeps the account open. Once the victim has recovered the account, the hacker will still have access to it. This only works in cases where the victim does not log all devices out of the platform after resetting the password. Some sites, including Netflix, will ask users if they want to log out from all devices when changing the password.
Unexpired Email Change Attack
This attack happens when the user wants to reset their password. The hacker will open an account using the future owner’s email address. They will then start changing the email address to their own, triggering a verification link to be sent to the criminal’s own address. Instead of clicking it immediately, they wait for the real owner to recover their account before clicking on the link. This completes the change of email process in favor of the hacker, removing all control from the real owner.
Other common types of attack identified include a non-verifying IdP attack and a trojan identifier attack.
Other attack methods
This new kind of threat adds to an already established threat posed by regular account takeover methods. There are typically five different methods that have been identified, and they each have different aims and outcomes. The account pre-hijacking attack method is considered an opportunistic type of attempt, as per the guide from Seon, which provides in-depth information on different kinds of takeover fraud.
Opportunistic is where a criminal happens across someone’s account details. This could be if they are displayed in a breach somewhere online, are easy to guess, are guessed with brute force, or obtained via a keylogger. Essentially, it means that the hacker has the opportunity to get hold of account details and then seize it.
Other types include bought credentials, credential stuffing, exploiting security vulnerabilities, and targeted attacks.
Protect yourself
So how can you and any other users protect yourselves from various kinds of account takeover attacks? Here are just a few tips.
- Use a strong password. Too many of us use easy-to-guess passwords such as ‘123456’, our names, or even ‘password’ to secure accounts. These are easy to guess and leave users wide open to fraud. It is best to use a password generator that will create a strong and completely unique password that will make it harder for hackers.
- Don’t reuse passwords. Never use the same password for more than one site and be sure to change them regularly. If you use the same password, you risk a hacker being able to access multiple accounts. Also consider having different email addresses for certain accounts.
- Always log out. Be sure to log out of a session when you are done as leaving it open can expose you to certain vulnerabilities. Also take care to periodically check which devices are logged into your accounts and remove any that are suspicious or you do not recognize.
In conclusion, there are many risks out there for users of the internet and the platforms that serve them. One of the main ones is account takeovers in their various forms. This is particularly risky as it can happen in a second without anyone being any the wiser until it is too late. For this reason, as Forbes notes, it is necessary to take all the possible steps to protect yourself and your users from actions by nefarious actors and criminals. Failure to do so can result in devastating consequences for all involved and serious damage to the reputation of platform owners.
When it comes to security and fighting hackers, always be aware and prepared.
