In a recent Reuters article, Italian security researcher Rosario Valotta described a new 0-day attack on Microsoft’s IE browser, that he’s named “Cookiejacking”. The main idea of Cookiejacking has actually been around for several years now – better known names for this technique are “side-jacking” or session hijacking; however what Rosario has discovered is a new delivery for this attack that is based on social engineering users to help the attacker exploit a bug in IE.
According to the report, the vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system and to exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC’s screen before the cookie can be hijacked.
The researcher cited an example where he used social engineering in the form of a puzzle, to entice users to “undress” a photo of an attractive woman. For those of you interested in reading the full details of the attack, you can find it here.
I believe that Microsoft intentionally played down the severity of this malicious technique – possibly to avoid worrying users, or possibly owing to lack of expert knowledge. According to the media report, Microsoft spokesman Jerry Bryant said:
“Given the level of required user interaction, this issue is not one we consider high risk”.
“In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into,” Bryant said.
Unfortunately, this statement is not entirely accurate.
- People visit malicious sites all the time. The Trend Micro Smart Protection Network infrastructure blocks on average 13 million attempts by users, to access malicious sites every day.
- Social engineering a drag is easy, and scams like FakeAV and the various Facebook JavaScript copying attacks prove this works easily. Social Engineering is arguably the number 1 tactic used by criminals, in their malicious attacks.
- There are always going to be cookies on the machines. I do not believe the average user clears their cookies even weekly, let alone each day.
Their advice – that this issue is not to be taken seriously and does not pose high risk – is misguided. Such comments could lead non-technical users to think that visiting malicious websites is unlikely, and could lead other users to think that they won’t be duped or compromised just by visiting a malicious website.
The vast majority of attacks are now hidden from view – you may not know that something malicious is taking place, and even the result of user interaction may not throw up any obvious problems. Social engineering tactics are often subtle, devious and emotive – that’s why they are successful and regularly used by attackers.
My advice – always be mindful of online hazards – if you remain cautious, it might just save you from becoming the next victim.
(Thanks to Senior Threat Researcher, Paul Ferguson, for his input on this issue.)
Leave a reply
