Story image

New study details how easy it is for hackers to steal your data

15 Mar 18

A new report from Exabeam has detailed just how easy it is for cybercriminals to hack into your life.

It’s no secret that web browsers store a substantial amount of sensitive information about their users, with website developers using a variety of ways to customise the experience. Advertisers also use these features to maximise the impact of ads shown on sites.

The result is that a lot of information about you is stored deep within your browser, and Exabeam senior threat researcher Ryan Benson says it then be potentially exploited by hackers in a number of ways. All kinds of personal information, from your location, work hours, habits, banks, applications, and even passwords are there for the taking.

There are several ways that browsers store information, including visited sites, HTTP cookies, local storage, saved login info and autofill.

To create its study, Exabeam visited and conducted tests on the most popular sites on the Internet, using the Alexa Top 1000 list as their guide.

In the first phase of their research, Exabeam found 56 websites stored some level of geolocation information about the user on their local system, while 57 recorded a user’s IP address

“For the second phase, we were able to extract a number of potentially sensitive items from popular services, including account usernames, associated email addresses, search terms, titles of viewed emails and documents, and downloaded files. Table 2 below shows some of the more notable examples,” says Benson.

“In addition to these site actions, if a user chose to have the browser save their password for them using the built in password managers, we were able to extract those saved usernames and passwords for all sites tested.”

So how can attackers gain access to this information?

Benson says it is actually quite straightforward. Malware to harvest information stored in a browser is easily accessible and variants have been around for years, including the Cerber, Kriptovor, and CryptXXX ransomware families.

“The free NirSoft tool WebBrowserPassView dumps saved passwords from Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. While ostensibly designed to help users recover their own passwords, it can be put to nefarious use. The recent ‘Olympic Destroyer’ malware used to disrupt the Pyeongchang Olympic Games reportedly took advantage of user credentials saved in the browser,” says Benson.

“Another concern is anyone working on a shared computer or in a shared workspace. If a machine is unlocked, extracting browser data for analysis could be done in seconds with the insertion of a USB drive running specialised software or click of a web link to insert malware. While it is true that browsers encrypt passwords, these are decrypted when used by the browser, and can be accessed by any process.”

And then with this information (what Exabeam has labelled a ‘web dossier’), how can cybercriminals exploit it?

Account discovery

“An attacker could compile a list of applications you commonly log into from your URL history, including work applications and personal finance sites. Criminals can learn who in a company has access to the financial or payroll application, for example, and compile a list of usernames to use to break in,” says Benson.

“Knowing what applications are in use at a company can help an attacker craft more convincing phishing emails to try and trick users into exposing their passwords, which the attacker could then harvest.”

Benson says it would also be simple to learn the name of your bank, online broker, or retirement fund manager.

Location history

“We were able to extract different levels of geolocation indicators, including IP address, from a wide array of popular websites, including nba.com and cbssports.com. News sites, including cbsnews.com, cnn.com, usatoday.com, foxnews.com, telegraph.co.uk, nypost.com, and nytimes.com, also store information about a user’s location on that user’s local machine,” says Benson.

“Extracting historical location information from a web browser can paint a picture of a user’s habits and past activities. By extracting similar types of information from a broad range of websites, investigators can get multiple data points to help corroborate different geolocation data points. So an attacker can determine when you are at work and when you are at home, for example.”

User interests

“Of course, with access to your URL history, an attacker can learn about your personal interests quite easily. There are two ways an attacker could manipulate this information. First, it is well known that attackers use hobbies to guess passwords,” says Benson.

“Second, if your hobbies or interests are controversial, unusual or even illegal, you may fall victim to online blackmail. And lastly, with the unfortunate rise of cyberbullying, especially among teens, a web dossier could be used to expose or embarrass the victim.”

Device discovery

“Modern browsers offer the option of a consistent experience to users, no matter what device they are using. Because of this, it can be possible to extract information about what other devices a user owns by examining browser history,” says Benson

“Some browsers explicitly sync records from multiple devices to each other, and some make use of “casting” or other screen sharing methods to communicate with other devices. By looking at this information, it may be possible to find a device that a user is trying to keep hidden, or to connect a personal machine to a work machine.”

And so in terms of protection, Benson says ensuring endpoint protection and not leaving machines unlocked in public spaces are both essential – users should also consider changing browser settings to further protect their privacy.

Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Chch crypto-exchange Cryptopia suffers breach
Cryptopia has reportedly experienced a security breach that has taken the entire platform offline – and resulted in ‘significant losses’.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.
Carbon Black: What does cybersecurity have in store for 2019?
Tom Kellerman has shared five insights for the year ahead, including a particularly bold one.
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.
Report on SingHealth breach condemns poor security practices
The 2018 Singapore SingHealth data breach was poorly managed and riddled with vulnerabilities from the start.
Tesla wants people to hack its Model 3
Tesla is offering white hat hackers what could be the chance of a lifetime – the opportunity to hack one of its Model 3 vehicles.