Account hijacking attacks have become one of the most persistent and damaging threats to SaaS cloud environments. However, despite significant investment in traditional security measures, many organizations continue to struggle to prevent these attacks. A new report, “Why account hijacking attacks still succeed and why your browser is your secret weapon for stopping them” states that the browser is the primary battleground where account hijacking attacks are deployed and therefore where they must be neutralized. The report also provides effective recommendations to reduce the risk of account hijacking.
Below are some of the key points raised in the report:
The role of the browser in account hijacking
According to the report, the SaaS kill chain uses core components that reside in the browser. For account capture, these include:
- Completed web pages – Attackers can create phishing login pages or use MiTM on legitimate web pages to obtain credentials and access them.
- Browser extensions – Malicious extensions can access and retrieve sensitive data.
- Credentials saved – Attackers seek to hijack the browser or steal its stored credentials to access SaaS applications.
Once a user’s credentials are compromised, an attacker can log into programs and run them with impunity. This is a different and much shorter elimination chain compared to the local elimination chain, so traditional security measures cannot protect against it.
Analysis of the TTP account takeover
The report then details the main account takeover tactics, techniques and procedures (TTP). It analyzes how they work, why traditional security controls are ineffective at protecting against them, and how a browser security platform can reduce the risk.
1. Phishing
Risk: Phishing attacks abuse the way a browser launches a web page. There are two main types of phishing attacks: a malicious login page or intercepting a legitimate session to capture session tokens.
Protection failure: SSE solutions and firewalls cannot protect against these attacks because the malicious web page components are not visible in network traffic. As a result, phishing components can penetrate the user’s perimeter and endpoint.
Solution: The browser security platform provides visibility into web page execution and analyzes each executed component, detecting phishing activities such as credential input fields and MiTM redirects. These components are then disabled on the page.
2. Malicious browser extensions
Risk: Malicious extensions use elevated privileges that allow users to control browser activity and data by impersonating saved credentials.
Protection failure: EDR and EPP are often implicitly trusted by browser processes, making extensions a security blind spot.
Solution: The browser security platform provides visibility and risk analysis of all extensions and automatically disables malicious ones.
3. Authentication and access through the login page
Risk: Once the attacker obtains the credentials, he can gain access to the target SaaS application.
Protection failure: IdPs struggle to distinguish between malicious and legitimate users, and MFA solutions are often not fully implemented and adopted.
Solution: The browser security platform monitors all stored credentials in the browser, integrates with the IdP to act as an additional factor of authentication, and provides access from the browser to prevent access through compromised credentials.
What awaits security decision makers
The browser has become the most important attack surface for businesses, and account hijacking attacks show its risk and the need to adapt an organization’s security approach. LayerX has identified a browser security solution as a key component in this change, countering existing attack methods that will force attackers to rethink their actions. Read the full report .
