Story image

New study details how easy it is for hackers to steal your data

15 Mar 18

A new report from Exabeam has detailed just how easy it is for cybercriminals to hack into your life.

It’s no secret that web browsers store a substantial amount of sensitive information about their users, with website developers using a variety of ways to customise the experience. Advertisers also use these features to maximise the impact of ads shown on sites.

The result is that a lot of information about you is stored deep within your browser, and Exabeam senior threat researcher Ryan Benson says it then be potentially exploited by hackers in a number of ways. All kinds of personal information, from your location, work hours, habits, banks, applications, and even passwords are there for the taking.

There are several ways that browsers store information, including visited sites, HTTP cookies, local storage, saved login info and autofill.

To create its study, Exabeam visited and conducted tests on the most popular sites on the Internet, using the Alexa Top 1000 list as their guide.

In the first phase of their research, Exabeam found 56 websites stored some level of geolocation information about the user on their local system, while 57 recorded a user’s IP address

“For the second phase, we were able to extract a number of potentially sensitive items from popular services, including account usernames, associated email addresses, search terms, titles of viewed emails and documents, and downloaded files. Table 2 below shows some of the more notable examples,” says Benson.

“In addition to these site actions, if a user chose to have the browser save their password for them using the built in password managers, we were able to extract those saved usernames and passwords for all sites tested.”

So how can attackers gain access to this information?

Benson says it is actually quite straightforward. Malware to harvest information stored in a browser is easily accessible and variants have been around for years, including the Cerber, Kriptovor, and CryptXXX ransomware families.

“The free NirSoft tool WebBrowserPassView dumps saved passwords from Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. While ostensibly designed to help users recover their own passwords, it can be put to nefarious use. The recent ‘Olympic Destroyer’ malware used to disrupt the Pyeongchang Olympic Games reportedly took advantage of user credentials saved in the browser,” says Benson.

“Another concern is anyone working on a shared computer or in a shared workspace. If a machine is unlocked, extracting browser data for analysis could be done in seconds with the insertion of a USB drive running specialised software or click of a web link to insert malware. While it is true that browsers encrypt passwords, these are decrypted when used by the browser, and can be accessed by any process.”

And then with this information (what Exabeam has labelled a ‘web dossier’), how can cybercriminals exploit it?

Account discovery

“An attacker could compile a list of applications you commonly log into from your URL history, including work applications and personal finance sites. Criminals can learn who in a company has access to the financial or payroll application, for example, and compile a list of usernames to use to break in,” says Benson.

“Knowing what applications are in use at a company can help an attacker craft more convincing phishing emails to try and trick users into exposing their passwords, which the attacker could then harvest.”

Benson says it would also be simple to learn the name of your bank, online broker, or retirement fund manager.

Location history

“We were able to extract different levels of geolocation indicators, including IP address, from a wide array of popular websites, including nba.com and cbssports.com. News sites, including cbsnews.com, cnn.com, usatoday.com, foxnews.com, telegraph.co.uk, nypost.com, and nytimes.com, also store information about a user’s location on that user’s local machine,” says Benson.

“Extracting historical location information from a web browser can paint a picture of a user’s habits and past activities. By extracting similar types of information from a broad range of websites, investigators can get multiple data points to help corroborate different geolocation data points. So an attacker can determine when you are at work and when you are at home, for example.”

User interests

“Of course, with access to your URL history, an attacker can learn about your personal interests quite easily. There are two ways an attacker could manipulate this information. First, it is well known that attackers use hobbies to guess passwords,” says Benson.

“Second, if your hobbies or interests are controversial, unusual or even illegal, you may fall victim to online blackmail. And lastly, with the unfortunate rise of cyberbullying, especially among teens, a web dossier could be used to expose or embarrass the victim.”

Device discovery

“Modern browsers offer the option of a consistent experience to users, no matter what device they are using. Because of this, it can be possible to extract information about what other devices a user owns by examining browser history,” says Benson

“Some browsers explicitly sync records from multiple devices to each other, and some make use of “casting” or other screen sharing methods to communicate with other devices. By looking at this information, it may be possible to find a device that a user is trying to keep hidden, or to connect a personal machine to a work machine.”

And so in terms of protection, Benson says ensuring endpoint protection and not leaving machines unlocked in public spaces are both essential – users should also consider changing browser settings to further protect their privacy.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.