Why Hacker Tactics Are Shifting To Cookie Theft: Expert

As more organizations adopt multifactor authentication, theft of browser cookies is becoming a go-to method for attackers to bypass the security measure, says Sophos Global Field CTO Chester Wisniewski.

As more organizations adopt multifactor authentication (MFA), the theft of web browser cookies is turning into a go-to method for attackers seeking to subvert the security measure, according to a top security researcher.

To combat the massive risk posed by stolen or compromised passwords, MFA—which requires a second form of authentication beyond username and password—has long been considered harder to defeat than password-only logins and is an essential part of cyberdefense.

Organizations have gotten the message, and MFA is now increasingly commonplace even among small and midsize businesses. But because browser cookies are sometimes configured to allow logging in without triggering an MFA challenge, theft of the web session data is proving to be an ideal workaround for attackers, said Sophos Global Field CTO Chester Wisniewski.

“More and more small businesses are adopting good security practices, like multifactor [authentication],” Wisniewski told CRN. “But if I can get onto one computer and steal those cookies, I don’t need to worry about multifactor anymore. I can just bypass the authentication entirely.”

Ultimately, “the cookie is the universal key that unlocks everything,” he said.

The growth of this tactic among threat actors is underscored by findings from the recently released 2024 Sophos Threat Report, including the discovery that nearly all attacks tracked in the report—90 percent—included the use of infostealer malware. The percentage of attacks involving infostealers had not been tracked in previous years since it was seen as a significantly smaller concern, Wisniewski said.

And while the tools can be used to steal passwords, attackers are frequently using the malware to obtain browser cookies, he said. “I think that’s one of the reasons why the infostealers are 90 percent of attacks now—it’s just becoming table stakes.”

The tactic poses a particularly serious threat to SMBs, which may be unaware that MFA is not bulletproof, Wisniewski said.

“They don’t realize that if the cookie is stolen, the criminal has access,” he said.

SMBs ‘Overwhelmed’

MFA is “not ubiquitous yet” at the small-business level, but there has certainly been an “awakening” about it among SMBs, said Aaron Boissonnault, CISO at Navisite, which was recently acquired by Accenture.

“I would say adoption has really accelerated over the last probably 18 to 24 months,” Boissonnault said. “Especially as they move into the cloud and are dealing with Microsoft 365 and other things for their productivity, it makes it easier for folks to adopt [MFA]. I think the barrier of entry has lowered there.”

At the same time, when it comes to SMBs’ need for security, “they are for sure overwhelmed already,” he said.

And so with rising threats such as the theft of browser cookies, smaller businesses will undoubtedly be looking to rely even more heavily on their vendors and service providers for assistance, according to Boissonnault.

“For our customers to have to worry about keeping up with the threat landscape and evolving tactics, techniques, procedures, and so forth, it’s impossible for them,” he said.

Monitoring For Anomalies

Key defenses against attacks exploiting stolen cookies include detection of anomalies in user behavior, Wisniewski said.

“You have to use different tactics to detect that somebody might have been compromised using more than just a stolen password,” he said. “When your adversary has access to your cookies, you now need to be doing anomaly detection.”

Anomalous behavior might include looking for “impossible travel” or activity during unlikely work hours, Wisniewski said. For instance, “that user typically doesn’t log in during Moscow hours, or that user typically doesn’t log in from Singapore,” he said.

It’s also important to monitor for access to file folders, applications or other shared resources that a user doesn’t typically access.

“If they log in and immediately go into the HR app and start rummaging around in the finance [file] share, that’s probably not normal behavior for Bill the sales guy,” Wisniewski said. “But small businesses generally aren’t in a position to do that sort of monitoring, and that makes them more vulnerable to these kinds of risks.”