When we surf the Internet there are many threats that can endanger our equipment. Every time we visit a website, a small file called a “cookie” is generated and stored on our computer. Cookies, by remembering user history and other additional information, help websites to improve their products and services. Cybercriminals, thanks to the extra information stored in a cookie such as the account login and more, can make a profit. For that reason, cookie theft is valuable to hackers.
What is a cookie and what is it used for?
We could define a cookie as a file with information sent by a website that is saved in our browser. The purpose is that the website can consult the previous activity and indicate, among other things, that a user has visited it previously.
Cookies have two functions. The first is to remember the access , in that sense, it remembers our preferences and shows us or not certain content. In addition, if a user enters their username and password, it is saved in the cookie so that they do not have to be setting it every time we access that website. The second function is that it allows us to know information regarding our browsing habits . The problem is that sometimes, they can cause problems related to privacy.
Cookies also track the behavior of Internet users, which helps companies to show us more personalized ads.
In addition, all cookies on a web page store the information of its users in the form of hash data. From the moment the data is hashed, it can only be read from the source website. This happens because the web page uses a unique algorithm to encode and decode the hash data. In the event that a cybercriminal knew the hash algorithm of that website, from that moment the data of that user may be compromised.
What is cookie theft
The theft of cookies or the scraping of cookies (Cookie Scraping) is also called session hijacking or cookie hijacking . In this attack, the attacker takes over the user’s session. A session begins when a user logs in to a particular service, for example Internet banking, and ends when they log out. The attack is based on how much knowledge the hacker has about users’ session cookies.
In many situations, when a user logs into a web application, the server sets a temporary session cookie in the web browser. Thanks to this temporary session cookie, we know that that specific user is connected to a particular session. It should be noted that a successful session hijacking will only occur when the cybercriminal knows the victim’s session key or session ID. Thus, in the event that it can steal session cookies, it can take over the user’s session. Also a different way to steal the user’s cookies is to force them to click on some malicious link.
On the other hand, an option that we could consider to avoid the theft of cookies would be for our browser to block all cookies. In the case that you intend to navigate, it could simply be an option to consider. However, if we want to use services such as e-mail, participate in forums, etc. will require us to use cookies. Therefore, in most situations to be able to use everything, to gain comfort and to save our preferences, we will have no choice but to use cookies.
Procedures and techniques for the theft of cookies and session hijacking
An attacker has many ways to steal cookies or hijack user sessions. Next, we are going to comment on some of the most used procedures. Let’s start with those related to the login.
The first is Session Sniffing or translated session sniffing . With this method, the cybercriminal uses a packet analyzer. In case you don’t know, a packet analyzer is a piece of hardware or software that helps monitor network traffic. Because session cookies are part of network traffic, session tracking allows hackers to easily find and steal them. As for the websites most vulnerable to session tracking, they are on those pages that SSL / TLS encryption is used only at the login and not on the rest of the website.
Another very common place where this type of attack occurs is when we are in open or public Wi-Fi networks, since user authentication is not required to connect to them. This way they monitor traffic and steal cookies from different users. Furthermore, in such Wi-Fi networks, cybercriminals can carry out man-in-the-middle attacks by creating their own access points. In this article, to browse these types of networks we recommend the use of a VPN.
The Session Fixation attack or session fixation is a type of Phishing attempt. In this procedure the attacker sends a malicious link to the target user by email. Then the moment the user logs into their account by clicking that link, the hacker will know the user’s session ID. Then, when the victim successfully logs in, the hacker takes over the session and already has access to the account.
We also have the cross-site scripting (XSS) attack . Here the cybercriminal tricks the victim’s computer system with malicious code in a secure way that appears to come from a trusted server. The cybercriminal then runs the script and gains access to steal the cookies. This happens the moment a server or web page lacks essential security parameters, hackers can easily inject client-side scripts.
Another option is with malware attacks that are created to track packets, which makes it easier for them to steal session cookies. This malware accesses the user’s system when visiting unsafe web pages or clicking on malicious links.
Why are cookies valuable to cybercriminals?
Thanks to cookie theft, users’ private information can be obtained, such as credit card details, login details for different accounts, and more. Also this information can be sold on the dark web . Another thing they can try to achieve is identity theft , the most common objectives of which are to obtain loans in our name or use our credit cards for purchases.
They can also use cookie theft to take over our account and carry out illegal activities . For example, they may impersonate us to obtain confidential information and then blackmail their victims. In addition, they could use it to carry out Phishing attacks in a fraudulent attempt to obtain confidential information from users.
Can users prevent the theft of cookies?
As for the web pages, it would be recommended that they have an SSL certificate and a security complement installed. To this should be added that the website must be kept up to date. Finally, regarding Internet users, the measures we can take to avoid being victims of cookie theft are:
- Close the session of all websites when we stop using it, so that this cookie expires and can no longer be deleted.
- Delete cookies from our browser periodically.
Other basic safety recommendations are:
- Have a good antivirus, and if possible antimalware software.
- Have our operating system and security software updated with the latest updates installed.
- Download programs from original sources, that is, from the developer’s website.
- Do not click on suspicious links such as offers with abnormally low prices.
As you have seen, the theft of cookies is something quite common to capture, but also to avoid, therefore, we always recommend closing the section