SpyCloud Launches Solution to Prevent ATO Fraud Caused by Session Hijacking

SpyCloud, the leader in account takeover and fraud prevention, announced the launch of Session Identity Protection, a transformative early warning system designed to prevent trusted user fraud, one of the hardest forms of fraud to detect. This solution helps enterprises protect malware-infected users from ATO and fraud due to session hijacking. When consumers or employees use malware-infected devices, bad actors can access everything they need to be virtually indistinguishable from their victims, making it difficult to detect account takeover and online fraud until it’s too late.

Session Hijacking (or Cookie Hijacking) 101


Trick user into clicking on a dangerous link or downloading a malicious attachment to infect their device with malware.


The malware siphons all manner of data from the infected device, including credentials, autofill info, and web session cookies.


Use a stolen session cookie to authenticate as the user – without the need for a username and password – bypassing fraud controls including MFA.

SpyCloud Session Identity Protection

SpyCloud Session Identity Protection helps enterprises identify vulnerable users early by providing visibility of their malware-stolen session and device cookies so they can invalidate compromised browser sessions that allow bad actors to bypass MFA.

“There are virtually no indicators that differentiate a legitimate user from a criminal using an anti-detect browser and stolen session cookie data,” said Jacob Wagh, Senior Product Manager at SpyCloud. “SpyCloud’s database of recaptured breach and botnet data shows stolen session cookie data indicating a risk of fraud before the credentials connected to an associated account have even been compromised.”

Session Identity Protection gives enterprises access to stolen session data for their domain as well as third-party workforce service domains (i.e. mycompany.okta.com), so they can address this type of fraud proactively. When companies query the Session Identity Protection API, SpyCloud returns compromised cookie data associated with these domains that puts their users at risk, including the information they need to identify which accounts are vulnerable and determine how to intervene.

Even expired cookies matter: enterprises can also flag users with known compromised devices for future logins or transactions, even if the session has already expired.

Using the recaptured data provided by SpyCloud, enterprises can:
  • Protect high-value accounts from bad actors using stolen cookies to mimic trusted devices and sidestep MFA
  • Invalidate active sessions identified by a compromised cookie
  • Proactively reach out to high-value consumers and build trust
  • Flag vulnerable accounts with known compromised devices for increased scrutiny of future logins/transactions (regardless of cookie expiration time)

To learn more about Session Identity Protection, book time with our team: 

Request a meeting with SpyCloud

Only SpyCloud has recaptured billions of stolen cookies from millions of malware-infected devices. We're the experts in using recaptured data to level the playing field with criminals.

Laptop with a user logging in, combined with magnifying glass implying the device is infected with malware

Trusted by market leaders

With 500+ customers around the world, including half of the Fortune 10, SpyCloud is the leader in operationalizing Cybercrime Analytics to protect businesses.

We’re on a mission to make the internet a safer place by disrupting the criminal underground. Together with our customers, we aim to stop criminals from profiting off stolen data.

#1 Global
Streaming Service
#1 Global
#1 Global Software
US Banks
#1 Global
Online Retailer
#1 US Crypto Exchange