Session hijacking, a method of cyberattack that has long plagued the digital landscape, has recently undergone a transformation. The latest iterations of this threat have demonstrated an alarming capability to circumvent multi-factor authentication (MFA) checks, raising concerns among cybersecurity experts. In 2023 alone, Microsoft reported a staggering 147,000 token replay attacks, marking a remarkable 111% increase from the previous year. Google has echoed these concerns, noting that session cookie attacks now rival traditional password-focused cyberattacks, signaling a resurgence of session hijacking as a significant threat.
<h2 id="whatissession_hijacking”>What Is Session Hijacking?
At its core, session hijacking involves cybercriminals taking control of active web sessions, effectively impersonating legitimate users. By deceiving websites into believing they are the actual user, attackers can bypass the authentication process entirely. Historically, session hijacking relied heavily on Man-in-the-Middle (MitM) attacks, where malicious actors exploited unsecured networks to capture sensitive credentials and financial information. However, the landscape has shifted; modern session hijacking has transitioned from a network-based approach to an identity-based strategy, rendering traditional defenses like MFA and VPNs less effective.
<h2 id="howdoessessionhijackingwork”>How Does Session Hijacking Work?
Today, session hijacking can manifest through several sophisticated techniques. Here are three prominent methods employed by threat actors:
- Adversary-in-the-Middle (AitM) attack
- Browser-in-the-Middle (BitM) attack
- Infostealers
The AitM attack represents a phishing technique that can detect and intercept MFA checks, capturing authentication data, including session tokens. In this scenario, attackers establish a proxy between the target and the legitimate application portal, leading the victim to believe they are accessing the real site while the adversary silently monitors all interactions.
Taking it a step further, the BitM attack tricks the target into controlling the attacker’s browser through remote screen-sharing applications. This method allows attackers to harvest more than just usernames and passwords, as the victim unwittingly engages with the attacker’s environment.
Infostealers
Infostealers pose a particularly insidious threat, delivered through various channels such as malvertising, malicious links, and infected websites. Unlike AitM and BitM attacks, infostealers can target all session cookies stored in a user’s browser, as well as other saved credentials. This broad scope makes infostealers more dangerous, as they can compromise multiple applications rather than just one. Furthermore, advanced malware has emerged that can evade detection by Endpoint Detection and Response (EDR) systems, complicating defense efforts.
For instance, in early April, infostealers like Atomic Stealer and Meethub exploited vulnerabilities to pilfer macOS passwords and cryptocurrency wallet credentials. Users searching for the ‘Arc Browser’ were misled by sponsored links that redirected them to malicious sites, resulting in the unintended download of malware instead of the intended software. Similarly, a vulnerability in Microsoft Defender SmartScreen allowed the delivery of infostealers such as Meduza and Lumma in July.
According to the 2024 Sophos Threat Report, approximately 43% of malware detected in 2023 was classified as infostealers. The prevalence of these attacks can be attributed to unsecured and unmanaged devices, particularly in environments that support Bring Your Own Device (BYOD) policies. When employees log into personal accounts on work devices, the risk of syncing compromised data increases significantly.
Notably, passkeys offer limited protection against infostealer attacks. While they can effectively thwart AitM and BitM attacks due to their reliance on biometric authentication, infostealers operate without authentication, rendering passkey defenses ineffective.
<h2 id="preventionagainstmodernsessionhijacking”>Prevention Against Modern Session Hijacking
Despite the daunting nature of these threats, there are proactive measures businesses can adopt to mitigate the risk of session hijacking:
<h3 id="keeppersonalinfo_private”>Keep Personal Info Private
One of the silver linings of infostealers is that they require the target to download malware to initiate the data-stealing process. To counter this, it is advisable to keep personal information separate from corporate devices. By doing so, even if malware is inadvertently downloaded on a personal device, the risk of syncing sensitive business data is minimized.
<h3 id="antivirusandedr”>Antivirus and EDR
In the event that an infostealer is downloaded, having robust antivirus and EDR solutions in place is crucial. Many reputable antivirus programs are designed to actively detect and eliminate malware, including infostealers. Regular updates to these systems are essential to protect against unpatched vulnerabilities.
In-app Controls
As a final line of defense, implementing strong in-app controls, such as location-specific IP address locking, can help thwart infostealer attempts. While not foolproof, these measures are generally more challenging for attackers to bypass. Maintaining comprehensive session logs can also aid in detecting suspicious activity, allowing businesses to respond swiftly to potential threats.
As session hijacking continues to evolve, it is imperative for organizations to remain vigilant and adapt their security strategies accordingly, especially in environments that embrace BYOD practices.
