Crumbling Cookies: Session Cookies Used to Attack Companies

A lot of people have the concept that all cookies are bad. That’s simply not true. Many are useful and some are actually necessary. The cookies people think are bad are the ones that are used for marketing and for the most part, they can be blocked.

Do you really want to type in your password every time you visit a familiar site? Do you want to be repeatedly asked what language you prefer or if you want your location remembered so you can get news and weather that’s more targeted to your needs? Is it helpful to see what websites you’ve visited in the past? To get these features during browsing, you’d probably want to keep these preference cookies.

Statistical cookies, for your personal use, can also be helpful. If you have a website and need to know how visitors are using it, you need them to accept statistical cookies. The same cookies can remember how you used particular sites so that browsing them can be quicker and more efficient. Generally, you can opt out of these without ruining your browsing experience. Some sites, however, need these cookies to operate well.

Again, you can opt out of many cookies if you want to maintain ultimate privacy and browsing safety, but you cannot opt out of all cookies. The cookies you cannot opt out of are called session cookies. If you want to use some sites, like a banking site, you simply have no choice but accept a session cookie. This is not a bad thing. In fact, it is a method that is used to insure your safety. It is also convenient because without a session cookie that is used to identify you, you would have to sign in for every page you used on a website. Session cookies preserve your identity so that you can use the different pages of the site and the site believes it is you doing so. The authentication of the user may include other factors such as time zone and IP address. Graphically, the process looks like this.

All of this is well and good, but can you imagine what would happen if someone was somehow able to get control of your session cookie? Herein lies the problem.

On July 12th, Microsoft announced that they had uncovered a large scale phishing campaign that had targeted over 10,000 companies since last September. And, you guessed it; part of the attackers’ arsenal was the use of stolen session cookies. In this complex attack on businesses and organizations, the criminals were able to bypass multi-factor authentication (MFA) by gaining control of session cookies. I’ll try to break this attack down into its components because it is somewhat convoluted.

The attack vector used in this attack is sometimes called the ‘Adversary-in-the-Middle’ (AiTM) attack. In this case, the ‘middle’ is a proxy server between the potential victim and the website they want to visit. The attacker uses this proxy server that hosts a phishing site to relay all the information it receives to the real site so that the real site thinks it is authenticating the actual user. When information from the real site is sent back to the user, it is also filtered through the proxy server. So when the victim signs in on the phishing site, that information is relayed to the actual site which authenticates it. In the diagram below, the actual site might ask for MFA, such as a SMS code sent to a smartphone. But this code will be sent through the proxy server as well. When the target site receives the code, it completes the user authentication and sends the user back a session cookie. This time, however, the user doesn’t receive the cookie. The attacker does. And when the attacker has this cookie, they are, then, authenticated to use the site any way they like. They can, for example, transfer money to their own account. The attackers will simply send the user on to some other page. If a bank was the user’s original goal, the attackers will often send them to the bank’s homepage. This may confuse the user who may think that something went wrong and they simply sign in all over again. But, by then, the damage has been done.

This attack has been used to hijack business communications to commit fraud. Of course, it has to begin in some way. After all, they’ve got to lure the target to their proxy server through a phishing site. To no one’s surprise, this is done through a phishing email. Microsoft points to one email with a voice message attachment.

 Opening the attachment will bring up a fake download message.

Without going into too many details, the victim would eventually be sent to a fake Microsoft Azure sign-in page and, when they signed in, they were sent on to the real site by the attackers who had already stolen their credentials and gotten authenticated by the site. They were then able to gain access to the target’s Outlook email account by using the same sign-in credentials and read through the victim’s emails to determine where and how they could commit payment fraud in order to get money. This often meant finding an email thread that was discussing payments. The attackers would take over the thread, pretending to be the original user. They would avoid detection by having all emails from the potential fraud victim marked as ‘read’ when they arrived in the inbox. The attackers also deleted all of the emails they sent to the target. This would prevent the actual owner of the email from seeing what was going on. To further hide their activities, they deleted their original phishing email as well. They would continue corresponding with their targets until the target transferred money into their account. In some cases, the attackers used the email access to perform multiple fraud attacks. It all depends on the position the victim held in the company.

These attacks can be surprisingly effective and may cost the company significant monetary loss as well as a loss in reputation. In addition, the compromised company may be sued by companies in their supply chain who lost money from this attack. The cost of such attacks can be seen in a report released in May by the F.B.I. Such attacks are referred to as BEC (Business Email Compromise) scams.

Yes, $43 billion dollars is a sizeable amount.

Microsoft gives a number of ways to mitigate the attack but, it seems to me that many of these could be bypassed as the attackers fine-tune their scam. In fact, the easiest way to stop these attacks is by looking at the original message in the phishing email. An example given by Microsoft looks as follows,

What’s with all the hyphens? Hyphens are often used by scammers to bypass spam filters and this might be the case here. In other words, if you get a message with a lot of misplaced hyphens, be suspicious. Also, check the URL of the site you are sent to by any email. It may even look similar to the target site so be careful.

The good news is that Microsoft Edge users will get a message if a session cookie is being misused.

It’s not clear to me if other browsers supply such protection but, if not, they will probably now be working on it.

Since these attacks can be big money makers, it’s unlikely they’ll go away soon. More likely than not, they will just become more sophisticated. The bad news for any enterprise is that AiTM phishing toolkits are available for free online. Protecting your company from the initial attack will be far easier than protecting it from a supply chain attack that comes from a valid email connection. It never hurts to check with the person you are dealing with through another means, like a phone call, if you have any suspicions at all. And in the cyber world, you really can’t be paranoid enough.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s