Microsoft’s security center has published a new report dealing with a growing form of virtual attack: the “hijacking” of accounts that have not yet been created by victims on online services.
According to the study, this type of scam is increasingly common and exploits social networks and other services that allow accounts to be pre-created on the basis of a little personal information, such as an e-mail address, and the registration to be completed at a later date.
As a result, cybercriminals can gain access to profiles even if the password chosen by the victim is strong or if they take basic privacy precautions. The group analyzed 75 online service pages and found that at least 35 of them were vulnerable to this type of scam.
The anatomy of a coup
Microsoft experts call the scheme “pre-hijacking”, since it involves taking possession of an account before it even comes into existence.
There are several ways to steal data in this case, from waiting with an active session until the real user logs in to using an already compromised email to “merge” registrations, giving access to both the criminal and the victim.
The stages of the scam: prior registration, completion of registration and account theft.Source: Microsoft
Once in possession of the account, crooks can change the password and lock the original user out of the profile, using the account for identity theft, bank scams and other fraud. The full study can be viewed at this link.
According to Microsoft, the use of two-factor authentication mechanisms and better mechanisms for merging accounts or changing passwords should be a priority for digital services.
Via Tecmundo
