There has been a lot of focus the week on so on session-token theft and IP restrictions to help mitigate stolen session tokens.

I see that as a useful belt+suspenders approach right now – but I’m reminded that many years ago when we started making significant progress against phishing, attackers moved to malware, session theft, but then ultimately to Man-in-the-Browser (MitB) attacks. Sessions tokens like this at financial institutions that had short lifetimes weren’t very useful – so attackers just got persistence on end-user devices. https://en.wikipedia.org/wiki/Zeus_(malware)

For enterprises the battle here isn’t against session-theft per-se – it is against malware. Because attackers are going to – just like they did last time – migrate to more real-time exploitation/use of sessions rather than stealing cookies and reselling them in an ecosystem.

The recent session theft attacks should be a wake-up call to folks not just to look towards better session cookie protection (https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html) but also to ensure that you’re tackling your malware exposure because attackers aren’t going to give up once session tokens are hard to steal – they’re just going to modify the malware that is today stealing session tokens to instead do exactly what Zeus did before.

*** This is a Security Bloggers Network syndicated blog from Security Retentive authored by Andy Steingruebl. Read the original post at: http://securityretentive.blogspot.com/2024/06/what-is-old-will-be-new-again.html