sb-eu logo
Story image

New study details how easy it is for hackers to steal your data

15 Mar 2018

A new report from Exabeam has detailed just how easy it is for cybercriminals to hack into your life.

It’s no secret that web browsers store a substantial amount of sensitive information about their users, with website developers using a variety of ways to customise the experience. Advertisers also use these features to maximise the impact of ads shown on sites.

The result is that a lot of information about you is stored deep within your browser, and Exabeam senior threat researcher Ryan Benson says it then be potentially exploited by hackers in a number of ways. All kinds of personal information, from your location, work hours, habits, banks, applications, and even passwords are there for the taking.

There are several ways that browsers store information, including visited sites, HTTP cookies, local storage, saved login info and autofill.

To create its study, Exabeam visited and conducted tests on the most popular sites on the Internet, using the Alexa Top 1000 list as their guide.

In the first phase of their research, Exabeam found 56 websites stored some level of geolocation information about the user on their local system, while 57 recorded a user’s IP address

“For the second phase, we were able to extract a number of potentially sensitive items from popular services, including account usernames, associated email addresses, search terms, titles of viewed emails and documents, and downloaded files. Table 2 below shows some of the more notable examples,” says Benson.

“In addition to these site actions, if a user chose to have the browser save their password for them using the built in password managers, we were able to extract those saved usernames and passwords for all sites tested.”

So how can attackers gain access to this information?

Benson says it is actually quite straightforward. Malware to harvest information stored in a browser is easily accessible and variants have been around for years, including the Cerber, Kriptovor, and CryptXXX ransomware families.

“The free NirSoft tool WebBrowserPassView dumps saved passwords from Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. While ostensibly designed to help users recover their own passwords, it can be put to nefarious use. The recent ‘Olympic Destroyer’ malware used to disrupt the Pyeongchang Olympic Games reportedly took advantage of user credentials saved in the browser,” says Benson.

“Another concern is anyone working on a shared computer or in a shared workspace. If a machine is unlocked, extracting browser data for analysis could be done in seconds with the insertion of a USB drive running specialised software or click of a web link to insert malware. While it is true that browsers encrypt passwords, these are decrypted when used by the browser, and can be accessed by any process.”

And then with this information (what Exabeam has labelled a ‘web dossier’), how can cybercriminals exploit it?

Account discovery

“An attacker could compile a list of applications you commonly log into from your URL history, including work applications and personal finance sites. Criminals can learn who in a company has access to the financial or payroll application, for example, and compile a list of usernames to use to break in,” says Benson.

“Knowing what applications are in use at a company can help an attacker craft more convincing phishing emails to try and trick users into exposing their passwords, which the attacker could then harvest.”

Benson says it would also be simple to learn the name of your bank, online broker, or retirement fund manager.

Location history

“We were able to extract different levels of geolocation indicators, including IP address, from a wide array of popular websites, including nba.com and cbssports.com. News sites, including cbsnews.com, cnn.com, usatoday.com, foxnews.com, telegraph.co.uk, nypost.com, and nytimes.com, also store information about a user’s location on that user’s local machine,” says Benson.

“Extracting historical location information from a web browser can paint a picture of a user’s habits and past activities. By extracting similar types of information from a broad range of websites, investigators can get multiple data points to help corroborate different geolocation data points. So an attacker can determine when you are at work and when you are at home, for example.”

User interests

“Of course, with access to your URL history, an attacker can learn about your personal interests quite easily. There are two ways an attacker could manipulate this information. First, it is well known that attackers use hobbies to guess passwords,” says Benson.

“Second, if your hobbies or interests are controversial, unusual or even illegal, you may fall victim to online blackmail. And lastly, with the unfortunate rise of cyberbullying, especially among teens, a web dossier could be used to expose or embarrass the victim.”

Device discovery

“Modern browsers offer the option of a consistent experience to users, no matter what device they are using. Because of this, it can be possible to extract information about what other devices a user owns by examining browser history,” says Benson

“Some browsers explicitly sync records from multiple devices to each other, and some make use of “casting” or other screen sharing methods to communicate with other devices. By looking at this information, it may be possible to find a device that a user is trying to keep hidden, or to connect a personal machine to a work machine.”

And so in terms of protection, Benson says ensuring endpoint protection and not leaving machines unlocked in public spaces are both essential – users should also consider changing browser settings to further protect their privacy.

Story image
Guardicore Labs exposes brute force MS-SQL attack campaign
The cyber attack campaign uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools (RATs) and cryptominers. More
Story image
Interview: Barracuda decision-makers discuss public cloud security
Last month, Barracuda released a report outlining the security barriers organisations must overcome to adopt the public cloud, as studies reveal that security was the top concern for such organisations.More
Story image
Online retailers lose millions as 1/3 of customers forget password at checkout
Recently released research has found about one in three of online purchases are abandoned at checkout because people cannot remember their password to access their account and confirm their purchase.More
Story image
Forcepoint unveils impressive channel recruits across APAC and ANZ
Cybersecurity firm Forcepoint has named four new key appointments to its leadership team as it looks to strengthen its channel, strategy and sales lineup across the Asia Pacific and Australian New Zealand regions.More
Story image
VPN service sees 165% growth in users as remote working ramps up
Remote collaboration tools, virtual meeting software as well as VPNs are all seeing growth due to a surge in remote working.More
Story image
New solution shines light on Dark Web credential trading
The Kaseya-owned Spanning Cloud Apps has released software that monitors the Dark Web for compromised Office 365 credentials.More