Various cybersecurity research suggests that cybercriminals are working more on active session theft, a more effective way to gain access to someone’s account without having to resort to a data breach or prior hacking to obtain their password.
Hackers continue to strive to obtain, in one way or another, the usernames and passwords of their victims on any platform, with which to access an account and extract all the data or resources they can from it. However, there are certain types of attacks that, although more sophisticated, are more effective in achieving control of an account: capturing the active session instead of login data.
As we can assume from the name, capturing the active session consists of gaining access to an account while that user is active in it, without having logged out. This is suggested by research from Push Security, which explains that by capturing cookies or session tokens, it is enough to import them into the attacker’s browser to resume an active session in an application.
This means that the account can be accessed without having to enter a username and password, or pass any MFA verification, as indicated by the cybersecurity company.
Session cookies
When we are logged in to a website, cookies allow us to access it repeatedly without having to re-enter the username and password. By taking control of an active session, the hacker can gain control of the account to perform actions from there, without having to previously find out the password. Although these session cookies usually have a validity period after which their validity expires, this can last up to several weeks.
In order to achieve this, cybercriminals will look for the session cookies associated with a user who is active on that platform. To do this, there are mainly two methods: using phishing attacks such as AitM and BitM, or a program (information thief) to steal browser data.
These methods actually allow you to capture both active sessions and login data (username and password). That’s why
How these cookies capture
If they choose to attack, cybercriminals could opt for an AitM or a BitM. These modern attacks can bypass the controls that normally make these attempts impossible, such as encrypted traffic, use of VPN or multi-factor authentication (MFA).
The AitM (Adversary-in-the-Middle) attack is the most similar to the common phishing attack. With this attack, the victim clicks on a malicious link that takes them to the real website of a platform, and if they enter their user data, this data will be captured by the attacker, who is located between the victim and the real server. That is, a manipulated domain is used that is connected to the real portal, but is being controlled by the attacker.
When the site receives an HTTP request, it forwards it to the portal it is impersonating, and then forwards the response it receives to the victim but not before capturing that information.
This type of attack can be carried out using open source software such as Modlishka, Muraena and the ever-popular Evilginx, as reported by Segu-Info.
On the other hand, BitM (Browser-in-the-Middle) attacks are quite similar but, in them, a fraudulent website placed between client and server is not used, but rather they seek to impersonate an entire browser so that the victim use it, not knowing that everything you do on it is being recorded by the attacker. Basically, the attacker shares his desktop screen with the victim, and the victim uses the browser without knowing that it is the criminal’s browser that he is using, so he is able to capture not only the username and password but many more cookies. and information related to that session.
This tactic is much more complex, since to carry it out it is necessary that the victim has previously fallen for phishing. An open source program with which this can be done is noVNC.
One way to protect yourself from this type of attack is to use passkeys, the new form of login that companies like Google, Apple and Amazon have already added to their services. A different case is that of infostealers, a more dangerous malware that may be capable of stealing data saved in the browser despite the use of passkeys.
