Cybercriminals and Black-hat Hackers are using a new technique called the account “Pre-hijacking”

Introduction

The monumental growth of the internet and online services are opening doors for new threats and cyber attacks. Malicious actors are trying different techniques to gain unauthorized access to user accounts. According to Kaspersky’s report, account takeover incidents have increased by 20 per cent from 2019 to 2021.

Another report claims that the illicit Personal Identifiable Information (PII) harvesting for account hijacking hiked nearly 7 per cent, from 39.7 per cent in 2021 to 46.6 per cent in 2022. But what is even worse is the account pre-hijacking attack surfacing recently in the cybersecurity community. If you want to know more about account pre-hijacking attack techniques & how to stay ahead of such threats, this article is for you.

What is account pre-hijacking?

It is a hacking technique where the attacker takes control of your online account before you even sign up for them. In this attack technique, the attackers aim to create multiple online accounts of the target victim on different online services and platforms. It enables the attacker to perform various tasks or actions before an unsuspicious victim creates a legitimate account on that particular online service. The latest research and the news of such an attack have surfaced recently, where multiple online services became the target of such vulnerabilities.

The research on this attack got conducted by an independent researcher Avinash Sudhodanan in collaboration with another researcher Andrew Paverd of Microsoft Security Response Center (MSRC). According to their findings, out of 75 popular online platforms they’ve analyzed, at least 35 are vulnerable to account pre-hijacking attacks. Adversaries are leveraging this “account pre-hijacking” attack on banking services, social media platforms, online storage platforms, CMS tools, etc.

How do adversaries prepare for the account pre-hijacking attack?

As a prerequisite, the attacker carries out the information gathering to possess unique identifiers like email ID, phone numbers, & PII of the target victim. These are information that gets scraped from the target victim’s social media accounts, credential dumps, or other massive data breaches. Then the attacker carries out this attack in five different ways, which we will discuss in the subsequent section. They then leverage these unique credentials to perform the pre-hijacking. The attacker then creates an account on the vulnerable site through the target’s email address or other personal credentials. If the victim ignores the pop-up or the email notification goes into the spam, the illegitimate account creation went successful. The researchers said, “If the attacker can create an account at a target service using the victim’s email address before the victim creates an account, the attacker could then use various techniques to put the account into a pre-hijacked state.”

Types of account pre-hijacking attack

There are five different ways an account pre-hijacking is possible.

1. Unexpired session identifier attack: Here the attacker nastily uses the victim’s email account to perform pre-hijacking and maintains a long-winding active session. Even if the victim identifies the account creation and recovers the victim’s account by resetting the password(s), the attacker continues to exploit the access because of the long unexpired session time.

2. Classic federated merge attack: In this attack vector, the adversary leverages the account created using a classic or federated identity mechanism that uses the same email address. It allows both the victim and the adversary to access the compromised account simultaneously.

3. Unexpired email change: In this attack vector, the attacker creates a pre-hijacked account with the victim’s email address & later changes the email address to the one they own or is under their control. Here the attacker waits for the target victim to alter or recover and start utilizing the account before finishing the change-of-email process.

4. Trojan-based identifier attack: Here the attacker creates a pre-hijacked account with the victim’s email address. Then the attacker adds a second identifier, such as the phone number or email ID that is under the attacker’s control. Therefore, even when the victim tries to recover the account, the second identifier allows the attacker to gain access anytime they want.

5. Non-verifying IdP attack: In this technique, attackers create an account with the vulnerable service using a non-verifying identity provider. It means a classic registration with an email ID is possible without extended verification.

Top Companies that were vulnerable to account pre-hijacking attacks –

· Zoom — Federated merge & non-verifying IdP attack

· Instagram — Trojan-based identifier attack

· Dropbox — Unexpired email changing attack

· WordPress CMS — Unexpired session & unexpired email change attack, and

· LinkedIn — Unexpired session and Trojan-based identifier attack

How to prevent such an attack?

· Enterprises and service providers should implement strict user identifier verification in their products and services.

· Mandating multi-factor authentication on all services and websites will thwart the attacker from authenticating and illicitly creating a pre-hijacked account.

· All the online services should discard any session creation before the identity verification and MFA activation. It can prevent users from unexpired session attacks.

· Keep the browsers up-to-date to prevent session hijacking.

· Experts recommend not to dump your unique digital credentials on online platforms unless necessary.

· Take a look at your account’s settings to see if your account has any secondary email ID or phone number attached or not that you do not know.

· Contact security service firms like PacketLabs for better guidance.

If you want such technical content for your B2B or B2C business, contact me here. I can provide excellent technical and non-technical content with infographics, animations, and SEO-based articles that can bring potential leads & audiences to your website.