What is account pre-hijacking?

Account takeover fraud is evergrowing. In 2018, global losses due to account takeover were $4 billion. In 2021, this number grew by more than 200% to over $12 billion. And the costs are only going up. How does the threat persist year after year?

Account takeover hackers are always thinking of clever workarounds to your fraud prevention defenses. To get around two-factor authentication, fraudsters moved to contact center phishing, digital wallet takeovers, and BNPL fraud (to name a few).

Now hackers have found a new way to get a step ahead: they can take over your customer’s account before it’s even been created. This new technique is called account pre-hijacking. It recently hit headlines after the release of a groundbreaking 2022 study. But the information circulating is quite technical and confusing.

Let’s clear up the confusion and keep things simple. Here’s an easy breakdown of account pre-hijacking techniques and how to protect your business.

What is account pre-hijacking?

Account pre-hijacking occurs when a hacker gets access to a customer’s account, before they’ve even made it. They preempt account creation on popular sites, and find clever ways to harvest your customer’s details.

Almost 50% of the world's most-visited sites are vulnerable to this new type of attack. This includes Zoom, Instagram, Dropbox and LinkedIn. Could your business be a target?

How does it work?

Let’s break it down into steps…

Step 1: Scout for the perfect victim

The hacker makes an account using a genuine email address, on a platform that the customer hasn’t yet signed up for.

A hacker might know that jenny.smith@email.com is a genuine email address. They could find this out by checking the address against a free online verification service, scraping social media accounts or looking through credential dumps on the web. But when testing the address on a popular site, they find out it’s not yet been registered for an account. This is the perfect pre-hijacking target.

Checking these accounts manually would take too long, and fraudsters are impatient. So they’ll often create new accounts in bulk. They’ll target the most popular sites so it seems likely that a genuine customer might want to create an account soon.

Step 2: Wait

The account only becomes valuable when the genuine customer tries to create an account, logs in, and adds information like their payment details. It’s at this point that the hacker uses a variety of methods to harvest the details.

Step 3: Attack

The hacker’s next move? They have five options. Be warned, the names of these tactics aren’t very catchy…

Classic-federated merge attack

On many sites, customers can sign up using either classic or federated identities. Classic refers to the standard "enter your email, create a password" route. Federated refers to using websites or apps, like Gmail or Yahoo, for single sign-on (SSO).

But some merchants merge these identities. So a hacker using a gmail address and a genuine customer using the federated route could both have access to one account. And both could use different login information. It’s a clever loophole.

Unexpired session identifier attack

This attack is quite simple. The hacker creates an account using the victim’s email address and then maintains a long-running active session. In other words, they stay logged in. Then when the owner creates an account, they’ll be told it already exists and have the option of resetting their password. If they do, both will have access to the account, as the malicious session is still underway.

Trojan identifier attack

The hijacker sets up an account recovery option using different details, like their own email address or phone number. So when the victim creates an account and resets their password, the hacker will also get a notification to reset the password. So the hacker resets it, recovers the account and gets their hands on the genuine customer’s information.

Unexpired email change attack

The hacker creates an account using the victim’s email. But they’ll then request to change the account's email to their own address to get sent a verification email. Instead of clicking on the link, they’ll save the verification email for later. So after the genuine customer creates an account and resets their password, the hacker will finish the verification process and get access!

Non-verifying IDP attack

This attack only involves apps and sites that don’t verify email addresses. If a hacker discovers that you don’t verify emails, you’ll be a hot target. All the hacker has to do is create an account, and then when the genuine customer tries to register, both have access.

What do hackers do once they’ve got your customer’s account?

Hackers can do a variety of things once they’ve got your customer’s account. They can order goods or services for use or resale, sell on account details, or use vouchers or accrued credit.

How could it impact your business?

The impact is the same as any other account takeover - it can be extremely damaging. Your business' reputation is on the line, and you’ll likely lose some customers. This means loss of future revenue. And you potentially have the costs of stolen goods, services and your team’s time.

Why is it a problem?

It’s difficult to spot because it’s a long game. A seemingly genuine customer (the hacker) could make an account and go quiet for a few months. Then if they try to log in again after time has passed, it makes sense that they might have forgotten their password. So it’s hard to distinguish between a bad actor and a genuine new customer. You can’t rely on some of the usual fraud signals.

How can you prevent account pre-hijacking?

It’s easy enough to prevent if you have the right tools and processes in place:

• Monitor your registrations! This includes failed registrations. If you notice an influx of account creations or changes to email addresses or recovery details, it could indicate a pre-hijack attack. Keep an eye on new account details - you’ll likely spot a pattern.

• Verify email addresses upon account creation. Easy.

• Communicate with customer services. Ask your customer facing team to flag if a customer says an account already exists under their email!

• Do not merge any accounts. Don’t merge the single-sign in route with your standard logins. Or get approval from both account holders before you do.

• Expire sessions and password resets! End sessions on accounts that share details. And expire password reset texts or emails a couple of hours after you send them. Genuine customers will want to reset their password straight away!

• Targeted 2FA. These attacks will be largely stopped by implementing authentication. But you want to use a targeted approach. If you enforce blanket two-factor authentication for all, your conversion could take a hit.

• Force sign-outs. You just need to force the sign out of any sessions that started before you push authentication to get rid of any lingering pre-hijacking set-ups.

Keep your ear to the ground

How can you stay one move ahead of account takeover hackers? Keep your ear to the ground and share your knowledge with other fraud fighters. And, importantly, make sure you have the right tools and processes in place to protect your business. For more resources and information on how to deal with account takeovers proactively, visit our insights page.