Session Hijacking Takes Control of Your Accounts. Here’s How
Don’t let the bad guys have their way with your account.
Computer session in normal day-to-day speak is a temporary interaction you have with a website. For example, the time between you first log into your bank account, and then log off after your operation, is a session.
During a session hijacking, a malicious hacker places himself in between your computer and the website’s server (Facebook for instance), while you are engaged in an active session.
At this point, the malicious hacker actively monitors everything that happens on your account, and can even kick you out and take control of it.
The biggest advantage of a session hijacking is that the malicious attacker can enter the server and access its information without having to hack a registered account. In addition, he can also make modifications on the server that to help him hack it in the future, or to simplify a data stealing operation.
How computer sessions work:
The underlying technology that governs how websites and computers communicate with each other is called the TCP/IP protocol, short for Transmission Control Protocol / Internet Protocol.
Session hijacking is possible because of limitations in TCP/IP, which cannot be easily fixed due to how widespread and entrenched it is. Instead, security layers are added on top of this tech to limit and nullify the threat.
Most session hijacking methods focus on two aspects: the SessionID and the session sequence number.
As you can guess, the SessionID is basically the “name” of a particular session. For instance:
- Your Facebook session might have the SessionID 1233vs%fav.
- Your Amazon session might have the SessonID 684s`9lbd
The session sequence number requires a slightly longer explanation, so you can skip this and go straight into the attack methods.
Your computer and the website server send information to each other by using data packets.
For instance, a website will break down an image into 4 data packets and then send them to your computer. Your computer then reassembles them in order to obtain the image.
But how does a computer / server know how to reassemble the data packets?
This is where the sequence number comes in. In essence, it is a number assigned to each data packet so the receiving device knows the order used to reassemble the data.
Basically, it would look something like this:
- Data packet A has the sequence number of 3.
- Data packet B has the sequence number of 7.
- Data packet C has the sequence number of 11.
How session hijacking works
Big websites and servers with many connected computers and visitors are the ideal targets for session hijacking, because the attacker can blend in with the great amounts of traffic and stay hidden in the background.
Forums, banking websites, online shops, are all viable targets and also profitable.
Active and passive attacks
During an active session attack, the malicious hacker stops the PC from communicating with the server, and then replaces it within in the session.
From this point onwards, the malicious hacker can do anything a regular user would do. If it was an email account, he could change its password, delete emails, write emails, copy and download attached files or recover accounts connected with the account.
During a passive session hijacking, the attacker quietly monitors the data flowing across the network. An attacker will chooses this kind of attack in order to stay hidden and not raise suspicions. Ideally, he will look for passwords, user names, credit card details and more.
Of course, nothing stops the passive attack from morphing into an active one if there is an unexpected opportunity the malicious hacker can profit from.
TCP sequence prediction attack
This hijacking method requires the attacker guess the sequence numbers of data packets sent between the victim’s computer and server.
The attacker will now create his own data packets, wrap them in the sequence numbers, and send them to the server. He effectively tricks the website server into thinking the malicious hacker is the real computer.
However an incorrect guess of the sequence number can result in the server sending a reset packet, that will basically restart the connection from scratch. In other cases, the server might decide to end the session entirely.
Session side jacking
A session side jacking takes advantage of an open, unecrypted communications channel to look for a session ID or token. A typical target of these attacks are unsecured Wi-Fi connections. Using a sniffing device or software such as Wireshark, the attacker scans incoming and outgoing traffic, looking for the session token.
Sites without an SSL certificate are also exposed to this kind of attack, since they don’t encrypt data sent between computer and server. You can tell if a site has an SSL or not by looking at the page URL, and checking if it has https:// at the start of the link. The “S” at the end comes from “secure”.
During a session fixation, the attacker wants you to access your account with a Session ID of his choosing.
Let’s say the attacker wants to obtain the money you have in your bank account, at www.example.com .
He will then send you a phishing email or text message, talking about some promotional offer at the bank, or that you need to reset your password, together with a link.
The link does point to your bank’s login page, but it also contains the SessionID the malicious hacker wants you to use: www.example.com/SessionID=I_want-your_money.
By logging into your account from this link, the malicious hacker has “fixed” your Session ID as “I_want_your_money”. He can now use it to access your account at the same time as you, and clean it of any money or do any other operation.
Cross Site Scripting
Many websites and web applications have software vulnerabilities that allow a malicious hacker to infect them with malicious scripts. When a user visits or does a certain action on infected websites, the scripts activate.
In the case of session hijacking, the malicious script will track the visitors session ID or cookie, and then send it over to the malicious hacker.
Browser hijackers can steal information saved in your cookies, including the Session ID, and then use that to conduct unauthorized actions on your computer. For instance, the hijacker might install programs, browser toolbars or simply siphon your private information.
Brute-forcing the Session ID
One of the more inelegant and ineffective ways of taking control of a session is to simply guess the SessionID.
Depending on how long a Session ID is, a persistent attacker can guess it by using a brute-force attack.
This means he will bombard the server with thousands, or tens of thousands of requests, hoping that one of these is the ID he is looking for.
Against smaller, and more insecure websites, this type of attack is feasible, since the technical infrastructure isn’t always present to preempt this type of threat.
Bigger websites on the hand are better equipped to deal with this threat, since their IDs are longer, and have other built-in security features, such as IP blocking.
Man in the browser attack
This type of attack infects your browser with a Trojan horse that monitors what you do on the web, while secretly collecting data and even changing input values in banking forms and other similar websites
While browsers themselves come with numerous vulnerabilities, a man-in-the-browser infection will also target browser extensions and plugins. A lot of the times, smaller companies will code these extensions, but they lack the resources they need to secure the software.
How to protect yourself against session hijacking
At a base level, session hijacking is made possible by limitations in the TCP/IP protocol which is the technology responsible for allowing computers to communicate with servers.
That being said, multiple security layers are added on top of this mechanism, to make the process as difficult as possible for the malicious hacker to hijack your session.
Here are some of the steps that you, as a user, can take to ensure you won’t fall victim to such a threat.
Check if the website is HTTPS
If website’s URL starts with HTTPS instead of HTTP, then you will know the server encrypts the data your PC sends its way.
Without HTTP, data packets sent between your computer and the server are essentially plain text, meaning the malicious hacker can just read them as they are.
Don’t log in on open wireless networks
An unencrypted Wi-Fi network is an open invitation for a malicious hacker to steal your information.
Using either a hardware tool or software such as Wireshark, a malicious hacker can easily intercept the traffic, and see what is communicated over the open network.
This includes everything, from credit card data, to passwords, instant messages or emails.
As a takeaway, do your best not to use open Wi-Fi networks. If you have to use the Internet, switch to your data plan instead.
Use a good antivirus
While not the end-all, be all solution to cybersecurity, an antivirus goes a long way in keeping you safe. The best antivirus programs have a significant database of malware signatures, a good behavioral analysis engine, and removal capabilities.
Here’s a more in-depth resource that might help you find the best antivirus.
Log out at the end of every session
Logging out of your account will terminate the session. This means you will also force the attacker to log out.
Ideally, you want operations on sensitive accounts such as your bank to be “hit and run” operations, where you go in, do the operation, and immediately log out. This will significantly cut down the amount of time an attacker has access to your account, and limit how much damage he can inflict.
Keep your browser updated and other software updated at all times
Software vulnerabilities are a major security risk, since hackers design their malware to target a specific vulnerability in a certain kind of software. This is how you ended up with the WannaCry attack, that took advantage of the EternalBlue SMB exploit in Windows OS.
Outdated browsers, Flash and other toolbars exponentially increase the risk of a session hijacking, so be sure to always always update this software.
If this sounds like too much of a hassle, then we suggest you use Heimdal FREE, a security tool that automatically updates critical software on your computer, without bothering you with popups and other nuisances.
Another way to make sure session stealing malware don’t infect you is to use traffic filtering solutions. These programs scan your traffic, and then block any malware that might be coming towards your PC.
A traffic filtering solution will also scan your outgoing traffic. If it notices personal information of yours going to a suspicious site, it will cut off communications, keeping it safe and out of the hands of malicious hackers.
An old attack method, that will still be around for a long time to come, session hijacking is an understated threat, overshadowed by the bigger ones such as ransomware, DDoS attacks or banking Trojans.
However, its ease of use combined with outsized potential for profit still make it a potent and heavily used tool in the arsenal of malicious hackers.
Have you ever suffered a session hijacking? What are some other security methods that you use to stay safe online?