It is one of the most practical ways an adversary would hack you in. We all know the average Joes of security: strong passwords, 2FA, VPN, encryption - you hear these things from everyone but these are not the fronts any smart adversary would target first.
Why break down walls when you can get the golden ticket handed over?
Unfolding of the calamity - silent spotlight is on you
It starts with a research into you, all targeted attacks do.
This phase is about learning as much as possible. This yields a metadata on you such as:
- What are your interests? What is your job?
- What is the regular audience category you interact with professionally or otherwise?
- Your social graph, who do you trust the most, or at least digitally? Do these people have worse security than you?
Springing the trap - two ways to fall by
A. You will download and open a file sent by someone.
You might be saying, hold on, I wouldn't do that - but this someone will be either someone you trust, or from a category that you’d normally interact with. Interaction is usually as professional as it needs to be based on prior research, and seemingly sincere and harmless.
This person could be anyone, a prospective client, investor, employee, employer - take your pick. They could even be a colleague, friend or family member who was easier to social engineer first on the way to you. They might be sincerely sharing some file they found very interesting for you to look at. But what you don’t know is that they got the file by being contacted in the above described manner.
Everything seems in order, but little did you know that malicious code embedded in this file triggered a chain of events that ultimately copied the session authorization tokens stored on your browser and sent them to the attacker.
B. You connect to an unprotected public WiFi. So does your attacker.
Be it your favorite coffee shop, or a conference venue you attend. Research has yielded your routine behavior the adversary knows when you connect to what networks.
Using an unencrypted network in this manner can allow anyone else using the network to peek at the passing session cookies. Demonstrated by a plugin called Firesheep in the 2010s.
Pandora's box or the sleeping giant
Once the session tokens are in hand, the attacker can open the respective accounts without having to deal with passwords and 2FA.
What the attacker will do is anyone's guess, they could even wait to act. Some session tokens have lengthy expiration dates - we are talking months, sometimes even a year.
The point is they can now see and do virtually anything you could do on these accounts - they are now digitally you while the tokens last.
What can you do to be prepared?
We are humans and we can make mistakes, but you can better prepare for such a day by separating concerns.
This means:
Using multiple purpose specific emails, and not having the security critical ones logged on at all times. Hint: don't just close tabs - sign out.
What are purpose specific emails? Something like one for social interactions, one for finances and banking, one for your job and one for your side hustle. It is good to separate responsibilities in such a manner as controlling an email often comes with the ability to control all the accounts associated with it.
Using separate devices, with different security criteria.
The one where you manage your finances probably shouldn’t be the one you are talking to people with, or reading memes online. Should keep the one you do your job with separate too - your company should be one step ahead and provide you with a device already.
Asking for online no-download versions when you receive digital files.
Online spreadsheets, slides, or docs are equally likely to get the message across from a stranger as the ones you download.
What can you do when the attack has already happened?
Use the “invalidate all login sessions” feature on the affected accounts - if the platforms provide this functionality. Then log out. If not, change the passwords on the accounts and log out - then hope that the platform developer implemented security correctly.
Take actions if
- The accounts are mission critical: contact the platform support highlighting the security concern.
- You know the exploit happened via a file: log back in only on an unaffected device.
- The exploit happened via an unsecured network: disconnect from the said network.
Last but not least, does this happen in real life?
It does happen all the time. Ask the youtubers and social media influencers who get their accounts hijacked.
In this day and age we live in a world in which anything of value that can be hacked is hacked.
Personal cybersecurity starts with a mindset before technology. If you are not sure about your security practices, best to get professional advice.
p.s. If you liked this content you may also be interested in my earlier post: Personal Cybersecurity - a Practical Advice
No AI has been used in the creation of the content above.
Top comments (0)