What Is Account Pre-Hijacking and How Does It Work?
Account hijacking is the act of taking control of somebody else’s account. It is typically carried out in the hope of stealing personal information, impersonating the victim, or to blackmail them. Account hijacking is a common problem but it isn’t easy to perform. In order to be successful, the attacker obviously needs to figure out the victim’s password.
Researchers have discovered a new type of attack known as account pre-hijacking. It involves accounts which haven’t yet been created and allows attackers to achieve the same goal without access to a password.
So what is account pre-hijacking and how can you protect yourself from it?
What Is Account Pre-Hijacking?
Account pre-hijacking is a new type of cyberattack. The attacker creates an account on a popular service using somebody else’s email address.
When the victim attempts to create an account using the same email address, the attacker retains control of the account. Any information provided by the victim is then accessible to the attacker, and they may then take exclusive control of the account at a later date.
How Does Account Pre-Hijacking Work?
In order to carry out pre-hijacking, the attacker first needs access to an email address. These are widely available on the dark web. When adata breach occurs, large batches of email addresses are usually published as data dumps.
The attacker then creates an account on a popular service which the owner of the email address hasn’t yet used. This attack is possible on many big service providers so predicting that victims will at some point want such an account isn’t necessarily difficult.
This is all carried out in bulk, in the hope that a certain number of attacks will eventually be successful.
When the victim attempts to create an account on the targeted service, they will be told that they already have an account and will be asked to reset their password. Many victims will reset their password assuming that it’s an error.
The attacker will then be notified of the new account and might be able to retain access to it.
The specific mechanism by which this attack occurs varies, but there are five distinct types.
Classic-Federated Merge Attack
Many online platforms give you a choice of signing in using a federated identity such as your Gmail account or creating a new account using your Gmail address. If the attacker signs up using your Gmail address and you sign in using your Gmail account, it’s possible that you’ll both have access to the same account.
Unexpired Session Identifier Attack
The attacker creates an account using the victim’s email address and they keep an active session. When the victim creates an account and resets their password, the attacker retains control of the account because the platform didn’t log them out of their active session.
Trojan Identifier Attack
The attacker creates an account and adds a further account recovery option. This might be another email address or a phone number. The victim can reset the password of the account but the attacker can still use the account recovery option to take control of it.
Unexpired Email Change Attack
The attacker creates an account and initiates a change of email address. They receive a link to change the email address of the account, but they don’t complete the process. The victim can reset the password of the account but this doesn’t necessarily deactivate the link that the attacker received. The attacker can then use the link to take control of the account.
Non-Verifying Identity Provider Attack
The attacker creates an account using an identity provider that doesn’t verify email addresses. When the victim signs up using the same email address, it’s possible that they will both have access to the same account.
How Is Account Pre-Hijacking Possible?
If an attacker signs up for an account using your email address, they will usually be asked to verify the email address. Assuming they haven’t hacked your email account, this won’t be possible.
The problem is that many service providers allow users to keep the account open with limited functionality before that email is verified. This allows attackers to prepare an account for this attack without verification.
Which Platforms Are Vulnerable?
Researchers tested75 different platforms out of the top 150 according to Alexa. They found that 35 of these platforms were potentially vulnerable. This includes big names such as LinkedIn, Instagram, WordPress, and Dropbox.
All companies discovered to be vulnerable were informed by the researchers. But it’s not known if sufficient action has been taken to prevent these attacks.
What Happens to the Victim?
If you fall for this attack, any information that you provide will be accessible to the attacker. Depending on the type of account, this may include personal information. If this attack is carried out against an email provider, the attacker could attempt to impersonate you. If the account is valuable, it could also be stolen, and you could be asked for a ransom for its return.
How to Protect Against Account Pre-Hijacking
The primary protection against this threat is to know that it exists.
If you set up an account and are told that an account already exists, you should sign up with a different email address. This attack is impossible if you use different email addresses for all of your most important accounts.
This attack also relies on the user not usingTwo-Factor Authentication (2FA). If you set up an account and turn on 2FA, anyone else with access to the account won’t be able to log in. 2FA is also recommended for protecting against other online threatssuch as phishingand data breaches.
Account Pre-Hijacking Is Easy to Avoid
Account hijacking is a common problem. But account pre-hijacking is a new threat and, so far, largely theoretical. It’s a possibility when signing up to many online services, but it’s not yet believed to be a regular occurrence.
While victims of this attack can lose account access and have their personal information stolen, it’s also easy to avoid. If you sign up for a new account and are told that you already have one, you should use a different email address.
A session hijacking is a situation where an attacker hijacks your active web session. Here’s how you can prevent it!
Taming data is easier than it looks.
The fix was buried in one tiny toggle.
Revolutionize your driving experience with these game-changing CarPlay additions.
If an AI can roast you, it can also prep you for emergencies.
you’re able to’t call this offline, Notion.
