Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Microsoft researchers discover malicious cookie scheme

Scheme could forward stolen cookies to zombie botnets

Article comments

Microsoft researchers checking how easy it is to identify users by analysing commonly collected web-log data incidentally discovered a cookie-forwarding scheme that can be used to aid session hijacking.

If put into play, the scheme could clandestinely forward stolen session cookies to individual zombie machines in botnets that could use them to gain unauthorised access to websites, according to their research paper "Host Fingerprinting and Tracking on the Web: Privacy and Security Implications".

Using data about hundreds of millions of devices that connected to Hotmail during August 2010, the researchers found a certain percentage that connected from more than one Internet Autonomous System (AS) - a large collection of related IP addresses, usually under the control of a large organisation such as a service provider, corporation or university.

By tracking cookies that Hotmail issued to these devices the researchers concluded that most of them were legitimate and were likely mobile or using VPNs, hence the changing location of their IP addresses.

But they also found a small group of cookies exhibiting abnormal behaviour. A single IP address in Denmark was logging into a large number of Hotmail accounts. The Hotmail cookies sent to those users were then being reused to gain access from IP addresses in multiple ASs in the US, apparently having been shipped to those IP addresses via a covert channel, the researchers say.

The Hotmail accounts being logged into were all created on the same day, with the same user age, location data and scripted naming patterns. The researcher concluded they were bot user accounts.

They had two possible explanations for these activities. First, some mail providers flag an account as suspicious if it logs in from multiple geographic locations in a short time span. This type of activity could circumvent that. Spreading the cookies around could let attackers access accounts without explicitly logging in, thereby reducing the likelihood of detection.

Second, attackers may be using the bot accounts and cookie forwarding to see how effectively they can gain access to accounts in general, as preparation for using the method against real users and real accounts.

The researchers say analysing mobility patterns by using anonymised data gathered from service providers can be a valuable method of detecting this type of stealthy attack.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *