Is your password “Swifty1234”? If so, you’re in good company. Passwords are a constant problem for both organizations and users. For the users and employees, there is a strong drive to make the passwords easy. This same drive causes problems for organizations, where security professionals know stronger password policies help protect accounts.
Even with strong passwords, accounts aren’t fully protected. Recent reports found over 1.38 billion compromised passwords being traded in the darknet during 2023. And as in recent years, variations of “123456” remain common.
The problems with passwords drive the interest to adopt newer authentication methods, like passkeys, a type of passwordless technology. These are increasing in popularity and deliver a better solution that protects against phishing attacks that can lead to account takeover in ways passwords can not. Passkeys are easy to implement and tend to be user-friendly. They work by tying a physical or software-protected electronic cryptographic key to a specific account. This allows the proof of access to the key to become a replacement for password authentication.
Passkey adoption is increasing over time. Since 2022, consumer passkey awareness has increased by 13%. 1Password, Google, and PlayStation offer passkey sign-in options for user accounts. This is great news for consumer account protection.
Passkeys improve the cybersecurity situation over passwords but don’t solely solve account takeover threats. Criminals are savvy and watch the moves organizations make in securing accounts. Sometimes, criminals are ahead of the cybersecurity trends. This is the case with passkeys, as criminals can sidestep the protections passkeys offer.
A little over a decade ago, MFA was the major push. People wanted to see MFA everywhere. This accomplished a lot and is a positive layer to user and organization security defenses. But cybercriminals watch as technology changes are implemented. They do not sit idle. For MFA, the criminals were after access – not credentials. Why not go after the access tokens (like session cookies) directly? Why not hijack established sessions? Of course, the criminals did.
To access this data, malware became the preferred path and infostealer malware became the new way to grab data. Infostealers are typically installed on a victim’s device through a successful phishing event or a malicious website. Once installed, the infostealer steals usernames and passwords, credit card numbers, banking details and more.
The PII data stolen by info stealers is not the only data criminals are after. These info stealers also have in their main directory a file called cookies.txt. Of course, this is a dump of all the cookies contained within the victim’s browser – and the theft of cookies is prolific. According to SpyCloud’s 2024 Identity Exposure Report, over 20 billion cookie records were recaptured from the darknet in 2023, averaging over 2,000 exposed records per infected device.
With these cookies in hand, criminals can carry out session hijacking attacks. This attack type uses a stolen cookie record and an anti-detect browser. The criminal digitally impersonates a legitimate user, gaining access to corporate information and networks.
These attacks sidestep the authentication process, including passkeys, entirely. Moreover, they’re challenging to identify, offering no immediate signs of account compromise. Because they appear to simulate the user directly, often the attackers can stay undetected within web applications for extended periods.
Cookie compromise poses a significant threat to businesses. Attackers with active cookies on corporate resources can access sensitive corporate information. This can lead to costly incidents and harmful reputation damage. Corporations may think that solutions like passkeys and password complexity requirements protect them. This is not the case.
The reality of cyber tactics like session hijacking is that the responsibility to solve them falls on the organizations as users struggle to solve them. Much of the time, users will be unaware that a compromise event has even happened. Organizations should respond to account access problems on behalf of their users to protect them from harm.
Part of addressing the problem on behalf of users involves understanding that modern responses to malware are insufficient. The existing playbooks for malware remediation tend to focus solely on remediation of the device. This is good and necessary, but it is shortsighted regarding infostealers and the data they have already exfiltrated, primed and ready to be sold or traded on the criminal underground – if it hasn’t been already.
Organizations strive to keep ahead of criminals. As the saying goes, an ounce of protection is worth a pound of cure. Change to a proactive stance to use recaptured compromised cookies found in the criminal underground positions organizations to avoid incidents. Security teams with visibility into compromised cookies and other identity data can terminate the related sessions before criminal access.
Criminals find ways to keep pace with all technology advancements. This is a truth that seems destined to persist. To beat them, businesses need to depend on experts who understand the moves criminals are making and have insight and access to the data criminals use to compromise networks to better defend against. Adding a post-infection remediation plan to incident response playbooks will reduce the impact of infostealer compromise. Protecting those who can’t protect themselves will help ensure users remain confident in your brand, protect your enterprise and minimize the success of criminal actors.