Microsoft team discovers malicious cookie-forwarding scheme

Clandestine forwarding of stolen cookies could help session-hijacking operators

Microsoft researchers checking how easy it is to identify users by analyzing commonly collected Web-log data incidentally discovered a cookie-forwarding scheme that can be used to aid session hijacking.

If put into play, the scheme could clandestinely forward stolen session cookies to individual zombie machines in botnets that could use them to gain unauthorized access to Web sites, according to their research paper "Host Fingerprinting and Tracking on the Web: Privacy and Security Implications".

Using data about hundreds of millions of devices that connected to Hotmail during August 2010, the researchers found a certain percentage that connected from more than one Internet Autonomous System (AS) - a large collection of related IP addresses, usually under the control of a large organization such as a service provider, corporation or university.

The data breach quiz

By tracking cookies that Hotmail issued to these devices the researchers concluded that most of them were legitimate and were likely mobile or using VPNs, hence the changing location of their IP addresses.

But they also found a small group of cookies exhibiting abnormal behavior. A single IP address in Denmark was logging into a large number of Hotmail accounts. The Hotmail cookies sent to those users were then being reused to gain access from IP addresses in multiple ASs in the U.S., apparently having been shipped to those IP addresses via a covert channel, the researchers say.

The Hotmail accounts being logged into were all created on the same day, with the same user age, location data and scripted naming patterns. The researcher concluded they were bot user accounts.

They had two possible explanations for these activities. First, some Web mail providers flag an account as suspicious if it logs in from multiple geographic locations in a short time span. This type of activity could circumvent that. Spreading the cookies around could let attackers access accounts without explicitly logging in, thereby reducing the likelihood of detection.

Second, attackers may be using the bot accounts and cookie forwarding to see how effectively they can gain access to accounts in general, as preparation for using the method against real users and real accounts.

The researchers say analyzing mobility patterns by using anonymized data gathered from service providers can be a valuable method of detecting this type of stealthy attack.

Join the discussion
Be the first to comment on this article. Our Commenting Policies