Unfortunately, research conducted by Andrew Paverd from the Microsoft Security Response Centre, and independent researcher, Avinash Sudhodanan, has identified a new type of cyber threat which is doing just this, called pre- hijacking.
Account pre-hijacking is a new cyber threat in which cybercriminals could gain access to an online account via a new technique that involves laying the foundations for the attack, or 'pre-hijacking' before it's even been registered to the individual.
In pre-hijacking attacks, the attacker predicts which online service will be used by the targeted individual, and conducts certain activities before the user creates their account. When the individual finally joins the site and the account becomes active, the attacker then takes full control.
In the report published by Paverd and Sudhodanan, 75 out of the top 150 websites from the Alexa global website rankings were tested to see if they had pre jacking vulnerabilities.
The attacks are noted to most frequently involve federated identity and single sign-on (SSO) services, which allow users to sign up for certain online services using existing accounts registered with companies such as Microsoft, Google and Facebook.
Of the 150 websites, 136 supported account creation, and out of the 75 tested, 35 appeared exploitable through the pre-hijacking route for at least one attack. Vulnerable sites included:
Affected vendors were notified between March and September 2021, but Paverd and Sudhodanan note that many online services could still be vulnerable.
According to the researchers, "the root cause of account pre-hijacking vulnerabilities is that the service fails to verify that the user actually owns the supplied identifier (e.g. email address or phone number) before allowing use of the account”.
“Although many services require identifier verification, they often do so asynchronously, allowing the user (or attacker) to use certain features of the account before the identifier has been verified. Whilst this might improve usability, it creates a window of vulnerability for pre-hijacking attacks.”
Account Pre-Hijacking Overview
Image credit: Andrew Paverd - Microsoft Security Response Centre
Thankfully there are a few simple security provisions you can put in place to make it much more difficult for threat actors who may attempt to orchestrate any kind of credential theft attack. These include:
The Diamond IT team specialise in reviewing cyber security strategies to ensure they are fit-for-purpose, align with government recommendations, and include the necessary defences required to best protect your business from malicious threats.
Our Business Technology Managers (BTMs) and Business Technology Consulting team are specialists in improving your internal cybersecurity and are ready to speak with you. Contact our team on 1300 307 907 today.