In a recent Reuters article, Italian security researcher Rosario Valotta described a new zero-day attack on Microsoft’s Internet Explorer (IE) browser that he has named “cookiejacking.” The main idea behind cookiejacking has actually been around for several years now—better-known names for this technique are side-jacking or session hijacking. However, what Rosario discovered is a new delivery for this attack that is based on social engineering users to help the attacker exploit a bug in IE.
According to the report, the vulnerability affects all versions of IE, including IE 9, on every version of the Windows OS. To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC’s screen before the cookie can be hijacked.
The researcher cited an example where he used social engineering in the form of a puzzle to entice users to “undress” a photo of an attractive woman. For those of you interested in reading the full details of the attack, you can find it here.
According to the media report, Microsoft spokesman Jerry Bryant said:
“Given the level of required user interaction, this issue is not one we consider high risk.”
“In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page, and the attacker would need to target a cookie from the website that the user was already logged in to,” Bryant said.
Unfortunately, this statement is not entirely accurate.
- People visit malicious sites all the time. The Trend Micro™ Smart Protection Network™ infrastructure blocks, on average, 13 million attempts by users to access malicious sites every day.
- There are always going to be cookies on machines. I do not believe average users clear their cookies even weekly, let alone each day.
Microsoft’s statement—that this issue should not be taken seriously and does not pose high risk—is misguided. Such comments can lead nontechnical users to think that visiting malicious websites is unlikely and can lead other users to think that they won’t be duped or compromised just by visiting a malicious website.
The vast majority of attacks are now hidden from view; you may not know that something malicious is taking place and even the result of user interaction may not throw up any obvious problem. Social engineering tactics are often subtle, devious, and emotive, that’s why they are successful and regularly used by attackers.
My advice—always be mindful of online hazards—if you remain cautious, it might just save you from becoming the next victim.
(Thanks to Senior Threat Researcher Paul Ferguson for his input on this issue.)