Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Pre-Hijacking of Online Accounts are the Latest Method for Attackers to Impersonate and Target

    Pre-Hijacking of Online AccountsRather than run a complex credential harvesting phishing scam, attackers use existing information about their victim and hijack a popular web service account *before* it’s created.

    I’m guessing that initial summary got you wondering “how exactly does someone hijack an account that doesn’t yet exist?” According to a new research paper put out by the Microsoft Security Research Center, a new class of attack has been identified called account pre-hijacking. The idea behind the attack is that a scammer has personal details about their victim (whom they likely want to impersonate). Instead of trying to get the victim to give up their credentials to, say, their Office 365 account (that would be incredibly targeted spear phishing – something that has only a remote chance of working), the attacker goes to a platform the user is not yet setup on, and initially creates an account in the victim’s name.

    The paper mentions a few ways in which this works. Here are just two of them:

    • Two routes to account creation – if a web service supports both a federated means to create an account, as well as a “classic” service-specific method, the attacker creates both at the same time, using the victim’s email address hoping the service will merge the accounts, giving access to both the victim and the attacker.
    • Unexpired session – the attacker signs on to the pre-hijacked account, and sends a service notification to the user to reset the password. The hope is that the service will allow the older session to remain active, despite the victim setting the password and finalizing the account.

    Regardless of the method, the intent is to gain access to a new account that is tied to the user’s email address. In the end, the attacker, if successful, is able to utilize the compromised account on the new platform, acting as the user. The researchers note 75 popular services and found that at least 35 of these were vulnerable to one or more account pre-hijacking attacks.

    Users will need to be made aware of these new techniques – particularly if they are likely to utilize an account on one or more of the most popular web-based services today. Enrolling users in Security Awareness Training, so should they receive a password reset notification for an account they themselves haven’t setup yet, will ensure the red flags are raised and they understand that this is suspicious at best, and potentially malicious at worst.

     

    Return To KnowBe4 Security Blog

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    PST ResultsHere's how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry

    Go Phishing Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/phishing-security-test-offer

    Topics: Phishing

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews