A move away from asynchronous verification processes is the suggested remedy for service providers, whereas users have been urged to implement two-factor authentication where they can. However, multi-factor authentication must be combined with a password manager if you want maximum protection from all the different types of identity theft out there.

What is Account Pre-Hijacking?

“Pre-Hijacking” is the catch-all term used for a contemporary class of cyberattacks that involve subsuming control of a victim’s account on a given website, which became the focus of a paper authored by security researchers Avinash Sudhodanan and Andrew Paverd. In this way, it departs from existing modes of attacks like brute-forcing or password spraying, which focus on obtaining passwords and other account credentials tied to existing accounts via various trial-and-error methods. The researchers pointed out that services often attempt to verify you “asynchronously” and that aspects of accounts are accessible prior to verification. A “Classic-Federated Merge Attack,” for example, involves the threat actor making an account via the “classic” avenue, and counting on the unsuspecting victim later making an account through the “federated” route with an identical email address. If the service in question consolidates these accounts in a non-secure manner, it could give easily give the attacker access. Another involves creating an account with the target’s email address, which will subsequently be changed to the attacker’s email address. The service in question will then ping a verification link to that email address rather than the victim’s, but the threat actor waits until the victim has started to use the account to confirm that the email has been changed.

The concerning thing about the study is the percentage of popular sites that are vulnerable to this sort of attack. 75 out of the top 150 most popular websites on the web were tested, and 35 appeared exploitable through the pre-hijacking route. The researchers suggested that, considering the volume of sites in this sample that were vulnerable, it’s highly likely a slew of other sites are too.

Attack Mitigation – What Can You Do?

The researchers suggest that mitigation rests in deploying multi-factor authentication methods – but with the caveat that account sessions started prior to multi-factor authentication being implemented will have to be auto-signed out. However, multi-factor authentication should be paired with a password manager – with these two security provisions in place, you’re making it much more difficult for threat actors attempting to orchestrate any kind of credential theft attack.