Pre-Hijacking Attacks on Social Media Accounts | Avast

A new paper by the Microsoft Security Response Center explains account pre-hijacking, where attackers open an account with the victim’s email address then lie in wait for the victim eventually to join the site. Once the victim joins the site and breathes life into the account, the attacker takes full control, icing out the victim from their own account. Researchers noted five variations of this attack: the classic-federated merge attack, the unexpired session identifier attack, the trojan identifier attack, the unexpired email change attack, and the non-verifying IDP attack. For more on each, see Bleeping Computer. 

“These are very smart techniques, taking advantage of weak security implementation in certain websites,” commented Avast Security Evangelist Luis Corrons. “Nevertheless, although the problem is not on the user’s side, there is something we can do to avoid these kinds of attacks: always enable multi-factor authentication.” By requiring two methods to access your account, MFA keeps the user in control.

Zola gift registry accounts hacked

Wedding gift registry Zola acknowledged in a tweet that hackers hijacked the accounts of several users. The news first came to light a few days ago when Zola users began posting on social media about the account takeovers and multiple attempts by the criminals to make purchases using the victims’ info. The hackers used credential stuffing to access the accounts, but credit card and bank information were fortunately not exposed. “As a matter of practice, cash funds have always been held in a protected, separate account,” a Zola spokesperson told TechRadar. As a result of the breach, Zola reset all user passwords.

Digital driver’s license forgeries not difficult

A security researcher discovered flaws in the New South Wales digital driver’s license (DDL) system that allow easy-to-execute forgeries. The Australian state began using the DDL system in 2019, giving citizens the option to show proof of identity and age at roadside police checks, bars, stores, hotels, and other venues. The only attack needed to breach the DDL system’s security is a brute force of the four-digit pin, of which there are only 10,000 combinations. Once the hacker is in and has changed the information on the driver’s license, the DDL will still pass all security checks because the data stored locally is never checked against the backend database. For more on this story, see Ars Technica.

Ransomware Task Force reminds gov there’s more work to do 

A year after the Ransomware Task Force provided a comprehensive framework for action to combat ransomware, the group reflected in a new paper on what has been accomplished and what still needs to be addressed. The task force is composed of more than 60 companies and organizations across government, nonprofits, and the private sector. Last May, the group made 48 recommendations for tackling the ransomware problem. Of those 48, 12 have seen tangible progress, 29 have seen initial steps taken, and seven have seen no action at all. For more on this story, see Cyberscoop.

Zoom patches flaw allowing remote code execution

A Google Project Zero researcher found a number of holes in the Zoom client that could potentially allow attackers to launch remote code execution, but Zoom has patched the problem with version 5.10.0. “User interaction is not required for a successful attack,” the researcher wrote. “The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol.” By using a specially crafted message, attackers could get Zoom clients to connect to a man-in-the-middle server that pushed a 2019 version of the Zoom client. For more, see ZDNet.

This week’s must-read on the Avast blog 

While some refugees are able to grab identity documents upon being forced to flee their countries, others are left with no proof that they are who they say they are. Can digital identity help with the global refugee crisis?