Story image

New study details how easy it is for hackers to steal your data

15 Mar 2018

A new report from Exabeam has detailed just how easy it is for cybercriminals to hack into your life.

It’s no secret that web browsers store a substantial amount of sensitive information about their users, with website developers using a variety of ways to customise the experience. Advertisers also use these features to maximise the impact of ads shown on sites.

The result is that a lot of information about you is stored deep within your browser, and Exabeam senior threat researcher Ryan Benson says it then be potentially exploited by hackers in a number of ways. All kinds of personal information, from your location, work hours, habits, banks, applications, and even passwords are there for the taking.

There are several ways that browsers store information, including visited sites, HTTP cookies, local storage, saved login info and autofill.

To create its study, Exabeam visited and conducted tests on the most popular sites on the Internet, using the Alexa Top 1000 list as their guide.

In the first phase of their research, Exabeam found 56 websites stored some level of geolocation information about the user on their local system, while 57 recorded a user’s IP address

“For the second phase, we were able to extract a number of potentially sensitive items from popular services, including account usernames, associated email addresses, search terms, titles of viewed emails and documents, and downloaded files. Table 2 below shows some of the more notable examples,” says Benson.

“In addition to these site actions, if a user chose to have the browser save their password for them using the built in password managers, we were able to extract those saved usernames and passwords for all sites tested.”

So how can attackers gain access to this information?

Benson says it is actually quite straightforward. Malware to harvest information stored in a browser is easily accessible and variants have been around for years, including the Cerber, Kriptovor, and CryptXXX ransomware families.

“The free NirSoft tool WebBrowserPassView dumps saved passwords from Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. While ostensibly designed to help users recover their own passwords, it can be put to nefarious use. The recent ‘Olympic Destroyer’ malware used to disrupt the Pyeongchang Olympic Games reportedly took advantage of user credentials saved in the browser,” says Benson.

“Another concern is anyone working on a shared computer or in a shared workspace. If a machine is unlocked, extracting browser data for analysis could be done in seconds with the insertion of a USB drive running specialised software or click of a web link to insert malware. While it is true that browsers encrypt passwords, these are decrypted when used by the browser, and can be accessed by any process.”

And then with this information (what Exabeam has labelled a ‘web dossier’), how can cybercriminals exploit it?

Account discovery

“An attacker could compile a list of applications you commonly log into from your URL history, including work applications and personal finance sites. Criminals can learn who in a company has access to the financial or payroll application, for example, and compile a list of usernames to use to break in,” says Benson.

“Knowing what applications are in use at a company can help an attacker craft more convincing phishing emails to try and trick users into exposing their passwords, which the attacker could then harvest.”

Benson says it would also be simple to learn the name of your bank, online broker, or retirement fund manager.

Location history

“We were able to extract different levels of geolocation indicators, including IP address, from a wide array of popular websites, including nba.com and cbssports.com. News sites, including cbsnews.com, cnn.com, usatoday.com, foxnews.com, telegraph.co.uk, nypost.com, and nytimes.com, also store information about a user’s location on that user’s local machine,” says Benson.

“Extracting historical location information from a web browser can paint a picture of a user’s habits and past activities. By extracting similar types of information from a broad range of websites, investigators can get multiple data points to help corroborate different geolocation data points. So an attacker can determine when you are at work and when you are at home, for example.”

User interests

“Of course, with access to your URL history, an attacker can learn about your personal interests quite easily. There are two ways an attacker could manipulate this information. First, it is well known that attackers use hobbies to guess passwords,” says Benson.

“Second, if your hobbies or interests are controversial, unusual or even illegal, you may fall victim to online blackmail. And lastly, with the unfortunate rise of cyberbullying, especially among teens, a web dossier could be used to expose or embarrass the victim.”

Device discovery

“Modern browsers offer the option of a consistent experience to users, no matter what device they are using. Because of this, it can be possible to extract information about what other devices a user owns by examining browser history,” says Benson

“Some browsers explicitly sync records from multiple devices to each other, and some make use of “casting” or other screen sharing methods to communicate with other devices. By looking at this information, it may be possible to find a device that a user is trying to keep hidden, or to connect a personal machine to a work machine.”

And so in terms of protection, Benson says ensuring endpoint protection and not leaving machines unlocked in public spaces are both essential – users should also consider changing browser settings to further protect their privacy.

Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."
D-Link hooks up with Alexa and Assistant with new smart camera
The new camera is designed for outdoor use within a wireless smart home network.
Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."