Malicious actors have greater incentives than ever before to continuously explore a company's security perimeter in order to gain user data. According to a Kaspersky report, the account takeover incidents spiked 20 percent from 2019 to 2021. Another report claims that the illicit Personal Identifiable Information (PII) harvesting for account hijacking rose 7 percent, from 39.7 percent in 2021 to 46.6 percent in 2022. Worse still is the spread of account pre-hijacking, which keeps the cybersecurity watchers on their toes.
What is account pre-hijacking?
Account pre-hijacking is a technique where the attacker takes control of your online account before you even sign up for them. Using this technique, attackers create multiple online accounts of the target on different online services and platforms. It enables the attacker to perform various actions before an unsuspecting victim creates a legitimate account on that online platform.
Incidents suggesting the deployment of this technique were recorded in recent research. Avinash Sudhodanan, an independent researcher, collaborated with Andrew Paverd of Microsoft Security Response Center (MSRC) to unearth the extent of account pre-hijacking.
According to their findings, of the 75 popular online platforms they analyzed, at least 35 were vulnerable to the account pre-hijacking attacks. Adversaries are leveraging account pre-hijacking attacks on banking services, social media platforms, online storage platforms, CMS tools, etc.
How do adversaries prepare for the account pre-hijacking attack?
As a preliminary step, the attacker gathers the unique identifiers of their targets like email ID, phone numbers, and other PII of the target victim. These are pieces of information that get scraped from the target victim's social media accounts, credential dumps, or other massive data breaches.
They leverage the unique credentials and create an account on vulnerable sites using the target's credentials. If the victim ignores the pop-up or the email notification goes into their spam folder, the creation of an illegitimate account is hassle-free. The researchers said, "If the attacker can create an account at a target service using the victim's email address before the victim creates an account, the attacker could then use various techniques to put the account into a pre-hijacked state."
Types of account pre-hijacking attack
There are five different ways an account pre-hijacking becomes possible:
Unexpired session identifier attack: The attacker uses the victim's email account to perform pre-hijacking and maintains a long-winding active session. Even if the victim identifies the account creation and recovers the account by resetting the password(s), the attacker continues to exploit the access because of the long unexpired session time.
Classic federated merge attack: In this attack vector, the adversary leverages the created account using a classic or federated identity mechanism that uses the same email address. It allows both the victim and the adversary to access the compromised account simultaneously.
Unexpired email change: In this attack vector, the attacker creates a pre-hijacked account with the victim's email address and later changes the email address to the one they own or is under their control. Here the attacker waits for the target victim to alter or recover and start utilizing the account before finishing the change-of-email process.
Trojan-based identifier attack: Here, the attacker creates a pre-hijacked account with the victim's email address. Then the attacker adds a second identifier, such as the phone number or email ID under the attacker's control. Hence, even when the victim tries to recover the account, the second identifier allows the attacker to retain access anytime they want.
Non-verifying IdP attack: In this technique, attackers create an account with the vulnerable service using a non-verifying identity provider. It means a classic registration with an email ID is possible without extended verification.
Top companies found vulnerable to
Zoom: Federated merge and non-verifying IdP attack
Instagram: Trojan-based identifier attack
Dropbox: Unexpired email changing attack
WordPress CMS: Unexpired session and unexpired email change attack
LinkedIn: Unexpired session and Trojan-based identifier attack
How to prevent your email from being used to create a pre-hijacked account
Implement strict user identifier verification in your products and services
Mandate multi-factor authentication on all services and websites
Discard any session creation from online services before verifying the identity or activating MFA
Keep browsers up to date
Don't input your unique digital credentials on online platforms unless necessary
Look at your account's settings to see if your account has any secondary email ID or phone number attached that you do not recognize