Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    • Blog
      • /
    • Phishing
      • /
    • Pre-Hijacking of Online Accounts are the Latest Method for Attackers to Impersonate and Target

    Pre-Hijacking of Online Accounts are the Latest Method for Attackers to Impersonate and Target

    Stu Sjouwerman | Jun 23, 2022

    Pre-Hijacking of Online AccountsRather than run a complex credential harvesting phishing scam, attackers use existing information about their victim and hijack a popular web service account *before* it’s created.

    I’m guessing that initial summary got you wondering “how exactly does someone hijack an account that doesn’t yet exist?” According to a new research paper put out by the Microsoft Security Research Center, a new class of attack has been identified called account pre-hijacking. The idea behind the attack is that a scammer has personal details about their victim (whom they likely want to impersonate). Instead of trying to get the victim to give up their credentials to, say, their Office 365 account (that would be incredibly targeted spear phishing – something that has only a remote chance of working), the attacker goes to a platform the user is not yet setup on, and initially creates an account in the victim’s name.

    The paper mentions a few ways in which this works. Here are just two of them:

    • Two routes to account creation – if a web service supports both a federated means to create an account, as well as a “classic” service-specific method, the attacker creates both at the same time, using the victim’s email address hoping the service will merge the accounts, giving access to both the victim and the attacker.
    • Unexpired session – the attacker signs on to the pre-hijacked account, and sends a service notification to the user to reset the password. The hope is that the service will allow the older session to remain active, despite the victim setting the password and finalizing the account.

    Regardless of the method, the intent is to gain access to a new account that is tied to the user’s email address. In the end, the attacker, if successful, is able to utilize the compromised account on the new platform, acting as the user. The researchers note 75 popular services and found that at least 35 of these were vulnerable to one or more account pre-hijacking attacks.

    Users will need to be made aware of these new techniques – particularly if they are likely to utilize an account on one or more of the most popular web-based services today. Enrolling users in Security Awareness Training, so should they receive a password reset notification for an account they themselves haven’t setup yet, will ensure the red flags are raised and they understand that this is suspicious at best, and potentially malicious at worst.

    Topics: Phishing

    Discover Your Organization’s Phish-prone™ Percentage

    Ninety-one percent of data breaches begin with spear phishing. Launch our Free Phishing Security Test for up to 100 users to uncover your team's vulnerability and see how your security posture stacks up against industry benchmarks.

    Get Your Free Phishing Security Test

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog

    Posts By Topic

    View All