Microsoft team discovers malicious cookie-forwarding scheme
- 03 February, 2012 06:30
- Comments
Microsoft researchers checking how easy it is to identify users by analyzing commonly collected Web-log data incidentally discovered a cookie-forwarding scheme that can be used to aid session hijacking.
If put into play, the scheme could clandestinely forward stolen session cookies to individual zombie machines in botnets that could use them to gain unauthorized access to Web sites, according to their research paper "Host Fingerprinting and Tracking on the Web: Privacy and Security Implications".
Using data about hundreds of millions of devices that connected to Hotmail during August 2010, the researchers found a certain percentage that connected from more than one Internet Autonomous System (AS) - a large collection of related IP addresses, usually under the control of a large organization such as a service provider, corporation or university.
By tracking cookies that Hotmail issued to these devices the researchers concluded that most of them were legitimate and were likely mobile or using VPNs, hence the changing location of their IP addresses.
But they also found a small group of cookies exhibiting abnormal behavior. A single IP address in Denmark was logging into a large number of Hotmail accounts. The Hotmail cookies sent to those users were then being reused to gain access from IP addresses in multiple ASs in the U.S., apparently having been shipped to those IP addresses via a covert channel, the researchers say.
The Hotmail accounts being logged into were all created on the same day, with the same user age, location data and scripted naming patterns. The researcher concluded they were bot user accounts.
They had two possible explanations for these activities. First, some Web mail providers flag an account as suspicious if it logs in from multiple geographic locations in a short time span. This type of activity could circumvent that. Spreading the cookies around could let attackers access accounts without explicitly logging in, thereby reducing the likelihood of detection.
Second, attackers may be using the bot accounts and cookie forwarding to see how effectively they can gain access to accounts in general, as preparation for using the method against real users and real accounts.
The researchers say analyzing mobility patterns by using anonymized data gathered from service providers can be a valuable method of detecting this type of stealthy attack.
Read more about wide area network in Network World's Wide Area Network section.
- Bookmark this page
- Share this article
- Got more on this story? Email TechWorld
- Follow TechWorld on twitter
- Delivering Tomorrow's Backup and Recovery Infrastructure
- EMC 15-Minute Guide to Smarter Backup Transform your future
- Developing an Information Strategy - Strategize, Align, Govern, Execute, and Optimize
- Optimised Data Protection for VMware® Environments with Symantec NetBackup™ Appliances
- Justifying Business Intelligence Applications
-
CSIRO develops hands-free technology for mining repairs
-
Broadband Forum to improve IPTV performance with new spec
-
Amazon Web Services moves backups to cloud with new appliance
-
Callforfree.net.au offers free calls to 70 countries
-
Intel ponders solar-powered CPU tech in graphics, memory
-
MYOB Software for Dummies 6E Australian Edition
-
Microsoft Office
-
Office 2007 All-In-One Desk Reference for Dummies
-
Windows 7 for Dummies®
-
Windows 7 for Dummies® Dvd+book Bundle
-
Computers for Seniors for Dummies, 2nd Edition
-
Teach Yourself Visually Windows 7
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Office 2007 for Dummies
Comments
Post new comment