Rather than run a complex credential harvesting phishing scam, attackers use existing information about their victim and hijack a popular web service account *before* it’s created.

I’m guessing that initial summary got you wondering “how exactly does someone hijack an account that doesn’t yet exist?” According to a new research paper put out by the Microsoft Security Research Center, a new class of attack has been identified called account pre-hijacking. The idea behind the attack is that a scammer has personal details about their victim (whom they likely want to impersonate). Instead of trying to get the victim to give up their credentials to, say, their Office 365 account (that would be incredibly targeted spear phishing – something that has only a remote chance of working), the attacker goes to a platform the user is not yet setup on, and initially creates an account in the victim’s name.

The paper mentions a few ways in which this works. Here are just two of them:

  • Two routes to account creation – if a web service supports both a federated means to create an account, as well as a “classic” service-specific method, the attacker creates both at the same time, using the victim’s email address hoping the service will merge the accounts, giving access to both the victim and the attacker.
  • Unexpired session – the attacker signs on to the pre-hijacked account, and sends a service notification to the user to reset the password. The hope is that the service will allow the older session to remain active, despite the victim setting the password and finalizing the account.

Regardless of the method, the intent is to gain access to a new account that is tied to the user’s email address. In the end, the attacker, if successful, is able to utilize the compromised account on the new platform, acting as the user. The researchers note 75 popular services and found that at least 35 of these were vulnerable to one or more account pre-hijacking attacks.

Users will need to be made aware of these new techniques – particularly if they are likely to utilize an account on one or more of the most popular web-based services today. Enrolling users in Security Awareness Training, so should they receive a password reset notification for an account they themselves haven’t setup yet, will ensure the red flags are raised and they understand that this is suspicious at best, and potentially malicious at worst.