Cookie Thieves on the Loose

The world has been keeping a careful watch over its cookies since the creation of Sesame Street in 1969 brought with it a furry blue monster with no impulse control and a sweet tooth that just won’t quit. Now it appears cookies of the non-sugary variety are likewise in danger of being swiped.

Researchers at Kaspersky detected two new Android malware modifications which, when combined, can steal cookies collected by the browser and app of social networking sites.

While lovable blue rogue Cookie Monster is in it for the sugar fix, these digital cookie thieves are out to take control of victims’ accounts and use them to distribute content that is decidedly unsavory.

Cookies are small chunks of data collected by websites to track users’ browser activity. This data is then used to create a creepily personal user experience in the future.

For example, if you ordered a pizza for home delivery via a website, the next time you logged in, the suddenly overly familiar website might welcome you by name.

Typically perceived as just a nuisance, cookies can also pose a security risk because when they are stored by websites, they use a unique session ID. Thieves who get their mitts on a user’s ID can pose as that user in the future without having to log in or enter a password.

Stealing a victim’s session ID isn’t always enough to access their account. Many websites have security measures in place to block a suspicious log-in attempt, for example.

The devious cyber-criminals detected by Kaspersky cloaked their shady exploits by deploying two different Trojans.

The first was used to acquire root rights on a victim’s device, which allowed the thieves to transfer the networking site’s cookies to their own servers. The second ran a proxy server on a victim’s device to bypass security measures and gain access without unleashing the fishy odor of suspicion.

By following the virtual crumb trail left by the cyber-cookie monsters, researchers discovered that 1000 individuals had so far been targeted. Perhaps it’s time to put data-sharing on a strict diet?

What’s Hot on Infosecurity Magazine?