Account takeover fraud is not new but it is growing fast. By 2018, account takeover fraud accounted for losses of around $4 billion. In 2021, this figure increased by more than 200%, and as of today, it is estimated to exceed $12 billion.
A recent paper published by Microsoft has revealed a new and disturbing way of compromising accounts where hackers hijack accounts before users register them. For instance, they create an account in Zoom or Dropbox using the user's credentials. Pre-hijacking can have a devastating effect on organizations, as access can be compromised without being detected.
This class of cyberattack requires the following circumstances in order to work:
The account has not been created by the user yet with the ID used.
The hackers need some form of user identification (email, ID number, phone number, etc), generally obtained on the dark web.
A flaw in the process allows the account to be created without being verified.
Regarding this last point, it should be clarified that hackers do not have access to the victim's email or cell phone, they simply have their login (username and password), so the account is not activated subsequently. The Microsoft Research study identifies the following pre-hijacking methods:
- Classic-Federated Merge Attack: following this method, the attacker creates an account using the victim's email address; obviously, it is not verified, since the attacker does not have access to the email, but the login is recorded. When is the account compromised? When the victim activates it using the IdP creation path.
- Unexpired Session ID Attack: the attacker succeeds in generating the account using the victim's email as an identifier, making access fully functional. When the victim tries to create the account, they are notified that it has already been created and password recovery is generated, which does not prevent the attacker from continuing to gain access. For this attack to succeed, the service must allow multiple sessions simultaneously.
- Trojan Identifier Attack: using this system, the hacker generates an identifier on the new account, and then creates a secondary login with real customer data (email or phone number). This means that even if the victim tries to log in by recovering their password, the attacker will remain active in the acount as a trojan.
- Non-Verifying IdP Attack: using this technique, hackers create their own IdP and open an account using its federated path, then add a user using the victim's email address. When the victim creates an account, the system reminds them that it already exists, and when recovering the password, the attacker gains access through the federated account.
- Unexpired Email Change Attack: with this attack vector, the threat actor generates an account using the victim's email address without waiting for verification and then changes it to another one under their control. At this point, if the victim tries to create an account, the attacker takes control of it before the email change process is completed.
- Email verification trick: on many systems, the service does not allow an account to be created without email verification. This is when the hacker creates it using an email under their control, and then takes advantage of the 'change email' function by entering the victim’s email address. So, when the user wants to create an account, they can start the change process but the attacker will have already "trojanized" it, remaining active on it.
So how can you protect yourself against a pre-hijack attack?
The fundamental and most effective measure is to implement a strong multi-factor authentication (MFA) system. One of the biggest shortcomings of traditional user ID and password logins is that passwords can be compromised easily. In the past, MFA systems used to rely on two-factor authentication (2FA). Today, however, the label multifactor is increasingly used to describe any authentication scheme that requires two or more identity credentials to reduce the possibility of a cyberattack.
These systems explicitly identify the user via an additional personal device, but to be truly effective, it is critical to activate the MFA associated with an account at the same time it is created. The longer the time gap is between creation and MFA activation, the greater the likelihood of suffering one of these attacks.
After implementing MFA, organizations must focus on the other weak link in the chain: users. In many cases, people do not remember having created an account on a given service and when they receive an alert, they assume that they have created it, proceeding to recover the password and completing the attack without realizing it. This means it is important to train staff so that they never retrieve the password for a service unless they are absolutely certain that they have created an account before.