What is account pre-hijacking? Techniques and how to protect your business

Account takeover fraud is ever-growing. Back in 2018, global losses due to account takeover were $4 billion. Within three years, this number grew by more than 200%.

In the past year, 52% of merchants saw an increase in account takeover attacks, according to the findings of Ravelin's Fraud & Payments Survey.

Cybercriminals are always thinking of clever workarounds to your fraud prevention defenses. To get around two-factor authentication, fraudsters moved to contact center phishing, digital wallet takeovers, and BNPL fraud, to name a few.

And they have found a new way to get a step ahead: They can take over your customer’s account before it’s even been created.

This technique is called account pre-hijacking. It hit headlines after the release of a groundbreaking 2022 study. But the information circulating is quite technical and confusing.

Let’s clear up the confusion and keep things simple.

Here’s an easy breakdown of account pre-hijacking techniques and how to protect your business.

What is account pre-hijacking?

Account pre-hijacking is an exploit that sees a cybercriminal gain access to a customer’s account before the customer has even created it. They preempt account creation on popular sites, and find clever ways to harvest your customer’s details.

Technically speaking, account pre-hijacking is an umbrella term to refer to a series of different types of exploit attacks, as we'll see below.

Almost 50% of the world's most-visited sites are vulnerable to this new type of attack. This includes Zoom, Instagram, Dropbox, and LinkedIn. Could your business also be a target?

How does account pre-hijacking work?

Let’s break down into steps how criminals pre-hijack accounts.

• Step 1: Scout for non-existent accounts. The fraudster makes an account using a genuine email address, on a platform, site or service that the customer hasn’t yet signed up for. The expectation is that they will do so eventually.
  
  A hacker might know that jenny.smith@email.com is a genuine email handle. They could find this out by checking the address against a free online verification service, scraping social media accounts, or looking through credential dumps.
  
  But when testing the address on a popular site, they find out it’s not yet been registered for an account. This is the perfect pre-hijacking target.
  
  Checking these accounts manually would take too long, and fraudsters are impatient. So they’ll often create new accounts in bulk. They’ll target the most popular sites, where it seems likely that a genuine customer might want to create an account soon.
  
  For example, does jenny.smith@email.com have a LinkedIn account? How about an account with Amazon, Deliveroo, or John Lewis?

• Step 2: The waiting game. The pre-hijacked account only becomes valuable when a genuine person tries to create the same account, logs in, and adds information like their payment details. It’s at this point that the hacker uses a variety of methods to harvest the details.

• Step 3: Attack! The hacker’s next move? They attack. And to do this, they have five options. Let's take a closer look at each.

Types of account pre-hijacking attacks

There are five identified types of pre-hijacking attacks: federated merge attacks, unexpired session identifier attacks, trojan identifier attacks, unexpired email change attacks, and non-verifying IDP attacks.

1. Classic-federated merge attack

On many sites, customers can sign up using either classic or federated identities. Classic refers to the standard "enter your email, create a password" route. Federated refers to using websites or apps, like Gmail or Yahoo, for single sign-on (SSO).

But some merchants merge these identities. So a hacker using a Gmail address and a genuine customer using the federated route could both have access to one account. And both could use different login information. It’s a clever loophole.

2. Unexpired session identifier attack

This attack is quite simple. The hacker creates an account using the victim’s email address and then maintains a long-running active session. In other words, they stay logged in.

Then, when the owner creates an account, they’ll be told it already exists and have the option of resetting their password. If they do, both will have access to the account, as the malicious session is still underway.

3. Trojan identifier attack

The hijacker sets up an account recovery option using different details, such as an email address or phone number they own. So, when the victim creates an account and resets their password, the hacker will also get a notification to reset the password.

Then, the cybercriminal resets it, recovers the account, and gets their hands on the genuine customer’s information.

4. Unexpired email change attack

The hijacker creates an account using the victim’s email. But they’ll then request to change the account's email to their own address to get sent a verification email. Instead of clicking on the link, they’ll save the verification email for later.

After the genuine customer creates an account and resets their password, the hacker will finish the verification process and get access.

5. Non-verifying IDP attack

This attack only involves apps and sites that don’t verify email addresses.

If a criminal discovers that your company doesn't verify emails, you’ll be a hot target. All they will have to do is create an account and then, when the genuine customer tries to register, both criminal and genuine user have access.

What can a fraudster do once they’ve got a customer’s account?

Criminals can do a variety of things once they’ve got your customer’s account.

For example, they can order goods or services for use or resale, sell on account details, or use vouchers or accrued credit.

The impact on the business the same as any other account takeover – it can be extremely damaging. Your business' reputation is on the line, and you’ll likely lose some customers. In fact, Ravelin's latest Fraud Trends Survey showed that 40% of merchants agree that fraud negatively affects their brand image and reputation.

This means loss of future revenue. And you potentially have the costs of stolen goods, services and your team’s time.

Why is it a problem?

Account pre-hijacking difficult to spot because it’s a long game.

A seemingly genuine customer (the hacker) could make an account and go quiet for a few months, or even years.

Then if they try to log in again after time has passed, it makes sense that they might have forgotten their password. So it’s hard to distinguish between a bad actor and a genuine new customer. You can’t rely on some of the usual fraud signals.

How to prevent account pre-hijacking

It’s easy enough to prevent pre-hijacking you have the right tools and processes in place:

• Monitor your registrations! This includes failed registrations. If you notice an influx of account creations or changes to email addresses or recovery details, it could indicate a pre-hijack attack. Keep an eye on new account details – you’ll likely spot a pattern.

• Verify email addresses upon account creation. Easy.

• Communicate with customer services. Ask your customer-facing team to flag if a customer says an account already exists under their email!

• Do not merge any accounts. Don’t merge the single-sign in route with your standard logins – or get approval from both account holders before you do.

• Expire sessions and password resets. End sessions on accounts that share details. Expire password reset texts or emails a couple of hours after you send them. Genuine customers will want to reset their password straight away!

• Targeted 2FA. These attacks will be largely stopped by implementing authentication. But 2FA is not a silver bullet for ATO, and you want to use a targeted approach. If you enforce blanket two-factor authentication for all, your conversion could take a hit.

• Force sign-outs. You just need to force the sign out of any sessions that started before you push authentication to get rid of any lingering pre-hijacking set-ups.

• Label your data. If your fraud prevention platform allows it, limit the impact of account takeovers by reviewing any activity undertaken by the hijacker as account takeover. This way, both your machine learning fraud solution and human analysts will be able to know what happened and how – and prevent similar attacks in the future.

Keep your ear to the ground

How can you stay one move ahead of account takeover hackers? Keep your ear to the ground and share your knowledge with other fraud fighters.

And, importantly, make sure you have the right tools and processes in place to protect your business.

For more resources and information on how to deal with account takeovers proactively, speak to one of our team today.

Related resources

• Ravelin Insights: Account takeover fraud
  
• Six ways to spot account takeover
• Cracking account security: How merchants should protect their customers’ accounts
• Webinar: Account takeover with Shawn Colpitts
• Webinar on-demand: How to quantify your ATO problem
• Ravelin's account security solutions