Pre-Hijacking of Online Accounts are the Latest Method for Attackers to Impersonate and Target

Pre-Hijacking of Online AccountsRather than run a complex credential harvesting phishing scam, attackers use existing information about their victim and hijack a popular web service account *before* it’s created.

I’m guessing that initial summary got you wondering “how exactly does someone hijack an account that doesn’t yet exist?” According to a new research paper put out by the Microsoft Security Research Center, a new class of attack has been identified called account pre-hijacking. The idea behind the attack is that a scammer has personal details about their victim (whom they likely want to impersonate). Instead of trying to get the victim to give up their credentials to, say, their Office 365 account (that would be incredibly targeted spear phishing – something that has only a remote chance of working), the attacker goes to a platform the user is not yet setup on, and initially creates an account in the victim’s name.

The paper mentions a few ways in which this works. Here are just two of them:

  • Two routes to account creation – if a web service supports both a federated means to create an account, as well as a “classic” service-specific method, the attacker creates both at the same time, using the victim’s email address hoping the service will merge the accounts, giving access to both the victim and the attacker.
  • Unexpired session – the attacker signs on to the pre-hijacked account, and sends a service notification to the user to reset the password. The hope is that the service will allow the older session to remain active, despite the victim setting the password and finalizing the account.

Regardless of the method, the intent is to gain access to a new account that is tied to the user’s email address. In the end, the attacker, if successful, is able to utilize the compromised account on the new platform, acting as the user. The researchers note 75 popular services and found that at least 35 of these were vulnerable to one or more account pre-hijacking attacks.

Users will need to be made aware of these new techniques – particularly if they are likely to utilize an account on one or more of the most popular web-based services today. Enrolling users in Security Awareness Training, so should they receive a password reset notification for an account they themselves haven’t setup yet, will ensure the red flags are raised and they understand that this is suspicious at best, and potentially malicious at worst.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe To Our Blog

Cybersecurity Awareness Month Free Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews