Everything You Should Know About Token Hijacking
Token hijacking has become a popular method for attackers to commit business email compromise (BEC) — a type of cybercrime that has resulted in over $2.9 billion in reported losses in 2023, according to the FBI.
To make matters worse, token hijacking can go undetected, as attackers bypass authentication without raising red flags in your logs.
Let’s review how this hack works and, more importantly, how to prevent it from happening to your end users.
What Is Token Hijacking?
Token hijacking occurs when an unauthorized user accesses an account by stealing the session token.
A token is a secure, unique identifier used to authenticate a user’s identity and maintain session integrity during interactions with a system or application. By stealing this token, the attacker can bypass both Conditional Access and multi-factor authentication (MFA) to gain direct access to the account.
Session token hijacks are sometimes confused with session hijacks. Here’s a breakdown of the main differences:
Aspect | Session Hijacking | Session Token Hijacking |
How it works | Taking control of an active session by intercepting session identifiers | Theft and misuse of session tokens to bypass authentication |
Common methods |
|
|
Attack target | Session identifiers during network transmission | Session tokens used for maintaining an authentication state |
Setup complexity | Moderate to high, requires network access | Low, quick setup through phishing campaigns |
Cost and time | Higher cost and time investment | Low cost, quick to implement |
How a Session Token Hijack Happens
A session token hack involves these three steps:
1. Sending an Initial Phishing Email
The attack typically begins with a carefully crafted phishing email that mimics legitimate communications from colleagues or vendors. These messages contain links to fake login pages that appear convincingly real.
For example, an attacker sends an email that looks like a legitimate security alert from the IT department stating that unusual activity has been detected on the user’s account and urging them to verify their identity by clicking on a provided link.
Learn more about phishing as a service.
2. Intercepting of the Access Token
Once a user interacts with a phishing email, the attacker captures their token in three steps:
- Authentication: The victim visits the counterfeit sign-in screen, enters their credentials and completes a multi-factor authentication (MFA) prompt.
- Session token capture: Once the user successfully logs in, the attacker intercepts the authentication data using a server to harvest the session token.
- Token transfer: The attacker imports the stolen session token into their browser using a cookie editor or similar tool.
This interception process is quick and inexpensive for bad actors to execute. Setting up the necessary server and tools often takes less than an hour, making it accessible for even less sophisticated attackers to hijack session tokens.
3. Accessing the Account
With a session token harvested, the attacker can import it into their browser and take over the victim’s session in order to:
- Bypass MFA: The attacker bypasses further MFA prompts since the session token is already authenticated.
- Access sensitive information: The attacker can access emails, files and other sensitive information as if they were the legitimate user.
- Remain undetected: The attack is stealthy and can go unnoticed because the activity appears normal in the logs, with no new login attempts from unrecognized devices.
Watch our webinar on understanding and preventing session token hijacking.
The Financial Impact of Session Token Hijacks
Session token hijacks can result in data breaches and BEC attacks, where attackers use unauthorized access to user accounts to encourage fraudulent financial transactions via email, often by impersonating executives.
Additionally, attackers might gain access to sensitive customer data, leading to identity theft and subsequent legal liabilities. IBM reports that the global average cost of data breaches in 2023 was $4.45 million, a 15% increase over three years.
On top of the direct costs (e.g. incident response, remediation and customer notification), there are indirect costs that include:
- Business disruption
- Regulatory penalties
- Reputational damage
- Increased cybersecurity insurance premiums
How to Prevent Session Token Hijacking
It’s challenging to prevent token hijacks due to the human element. End-user education is key, but there are other tactics you can use to identify incidents of session token hijacking early to mitigate potential damage or data loss.
1. End User Education
Educate users on the importance of recognizing phishing attempts. Regular security awareness training sessions should teach users:
- How to spot suspicious emails
- The dangers of clicking on unknown links
- Why to use multi-factor authentication (MFA)
- How to recognize fake SaaS application login screens
Encourage users to verify the authenticity of unexpected emails and be cautious about entering credentials or sensitive information.
2. Implement an Access Token Expiration Policy
The implementation of a robust access token expiration policy will also help mitigate the potential of a successful session token hijacking. By expiring SaaS application access tokens at specific intervals, you reduce the window of opportunity for attackers to exploit stolen tokens. We recommend setting the expiration period to every 10 to 12 hours.
Additionally, whenever possible, leverage token binding techniques. Token binding ties an access token to a specific device, ensuring that the token is only valid when used from that device. This adds an extra layer of security, making it significantly harder for attackers to reuse stolen tokens from a different device.
3. Automated Detection and Remediation
You can identify potential compromises early by monitoring login locations, unusual activity patterns and changes to email forwarding rules. Allowing automated remediation to take direct action on accounts that indicate compromise via token harvesting enables you to quickly spot compromises and take action, including:
- Automatically revoke access tokens
- Disable sign in access
- Change account passwords
- Suspend accounts
Protect Against Token Hijacking with SaaS Alerts
With SaaS Alerts as part of your software stack, you can detect and remediate any unusual activity automatically, ensuring data stays secure at all times. Our SaaS security platform helps prevent losses from token hijacking compromises by:
- Automatically revoking session tokens, blocking unauthorized access and resetting passwords when an attack is detected
- Correlating device activity like login patterns with account activity, which raises the probability of detecting compromises
- Applying hardening settings across accounts to ensure robust security configurations
Start your free trial and discover how SaaS Alerts helps you identify and stop session token hacks.