Account Hijacking Studies: Attacks & Defenses

A selection of web security research papers that can generally be linked to wide field of account takeovers.

Account Pre-Hijacking Attacks: Security Failures in User Account Creation

“The ubiquity of user accounts in websites and online services makes account hijacking a serious security concern. Although previous research has studied various techniques through which an attacker can gain access to a victim’s account, relatively little attention has been directed towards the process of account creation.”

In this study, Avinash Sudhodanan and Andrew Paverd show that there is an entire class of Account Pre-Hijacking Attacks in the open wild that use vulnerabilities of high severity. The crux: “The distinctive feature of these attacks is that the attacker performs some action before the victim creates an account, which makes it trivial for the attacker to gain access after the victim has created/recovered the account.”

Five specific attack are being described and a corresponding case study presented.

Read the Paper (PDF)

Hack for Hire: Exploring the Emerging Market for Account Hijacking

In this paper, security researchers from the University of California and Google “study a segment of targeted attackers known as ‘hack for hire’ services to understand the playbook that attackers use to gain access to victim accounts.”

If you ever wanted to get insights into the commercial account hijacking ecosystem, and what techniques criminal employ, have a read!

Read the Paper (PDF)