Thieves stealing cookies

News Summary:

  • According to a Sophos analysis, the assault technique is expanding and the “cookie-stealing cybercrime spectrum” includes both “entry-level crooks” and more experienced adversaries.

  • To get beyond multi-factor authentication, hackers are stealing cookies from recent or active web visits.

On dark web forums, cybercriminals purchase stolen credentials “in bulk” or collect cookies. Additionally, ransomware gangs collect cookies, and according to a Sophos report, “their operations may not be detected by standard anti-malware defences due to their misuse of legal executables, both already present and brought along as tools.”

Browsers employ SQLite database files, which contain cookies, in the background. These cookies are made up of key-value pairs, and the values frequently include crucial data like expiration dates and tokens.

Users may keep their authentication up, remember their passwords, and autofill forms using browsers. Although it might appear practical, hackers can use this feature to steal passwords and avoid the login challenge.

On different operating systems, adversaries are aware of the precise name and location of these files for all popular browsers, including Chrome, Firefox, and even Brave. Because of this, the attack can be preplanned. Such scripts are frequently present in malware that steals information and uses other modules.

The most recent iteration of the Emotet botnet focuses on cookies and credentials saved by browsers, including credit card information. Researchers from Sophos claim that the Google Chrome browser “uses the same encryption mechanism to store both credit card data and cookies for multi-factor authentication.”

Attackers can also use spear-phishing and phishing campaigns to implant droppers that can covertly deploy cookie-stealing malware in order to obtain initial access.

The cookies are then utilised for lateral and post-exploitation movements. They can be used by cybercriminals to change user account passwords and associated emails, to lure users into downloading further malware, or even to launch other exploitation tools like Cobalt Strike and Impacket kit. Cookies must have a brief shelf life. In any other case, persistent authentication might develop into a persistent threat. Due to the cookies’ lack of the requisite flags, even with excellent security procedures, you may still fall victim to hacking (e.g., HttpOnly, Secure attribute). For instance, SSL/TLS channels must be used for sending authentication cookies. Otherwise, the information could be transferred in plain text, making it simple for attackers to intercept credentials by simply sniffing network traffic.