It’s not just account credentials that are at stake anymore; or rather, the definition of credentials is no longer exclusive to just “username + password.” The term has evolved beyond that to a fully inclusive catch-all for the possible authentication entry points into a given account. And as the definition of the term ‘credentials’ is evolving, so are criminal ecosystems. One such way is by moving to hijack established application sessions with a stolen cookie or token, which bypasses the need for credentials altogether – whether a username + password, MFA or even a passkey.
Session hijacking is a form of cybercrime that most enterprises are underestimating in their cybersecurity and fraud prevention strategies.
With its ease due to the ubiquity of malware-stolen cookies for sale on the criminal underground, it’s growing in popularity. Session hijacking (or cookie hijacking) bypasses any strong authentication mechanisms that are in place – giving bad actors access to already authenticated sessions across your devices, browsers, and applications regardless of the initial method of authentication.
Once an attacker has hijacked a session, they can do anything the original user is authorized to do. Depending on the target website, this could be fraudulently purchasing items, draining loyalty points or funds, accessing detailed personal information for the purpose of identity theft, or stealing confidential company data.
Session hijacking is also an easy way to launch a ransomware attack from inside the company network or a critical workforce service (including SSO) to access and encrypt valuable company data.
If you followed the CircleCI breach, you might recall that the initial attack vector was malware on an engineer’s laptop, which exposed a session cookie/token for the company’s SSO instance. This type of attack is becoming a more common occurrence and for enterprises thinking SSO is a silver bullet, they may want to think again.
When we demo a session hijack to customers, it’s 15 seconds they won’t soon forget. It’s a quick, effective cyberattack that’s displacing traditional password-driven account takeover (ATO) and businesses need to prepare for its rapid escalation. Because in a world where passkeys are about to become the next big thing, session hijacking isn’t going anywhere.