Who Stole my Cookies? A Guide to Token Theft

Cybersecurity is an important topic that is constantly evolving. In this blog, Q2 Security Analyst Phillip Williams shared important information about a growing cybersecurity threat, token theft. 

Multi-Factor Authentication (MFA) has become a necessity for securing the modern hybrid workplace and protecting personal accounts. Like most advancements in cybersecurity, as MFA has grown more prevalent, so have attempts to subvert it. Along with the rise of remote work and adoption of MFA, threat intelligence sources such as Microsoft’s Detection and Response Team (DART) have detected a surge in token theft attacks. Threat actors use token theft to covertly compromise user accounts while bypassing MFA.

When a user logs into an online service that uses token-based authentication, they are granted an access token, which is often stored in a browser cookie. When an access token is stolen, the attacker can duplicate the token and embed it in their own browser to impersonate the user. Upon refreshing the targeted service’s login page, the authentication requirements are satisfied by the stolen token and the attacker is logged in. This attack compromises the account while bypassing the requirement for credentials and MFA. Token theft has the added benefit of stealth since the user doesn’t receive notification of an unauthorized MFA prompt or sign in attempt.

Malware authors are known for fast action and ingenuity, so it’s no surprise that malware has quickly adapted to leverage exploits targeting MFA. Emotet, Raccoon Stealer, and RedLine are a few examples of malware that implement token theft techniques.  Malware can steal tokens by exfiltrating browser cookies from a compromised device along with the credentials used to log in. Stolen credentials can be used to maintain access or escalate privileges during the attack. All of this happens in the background, and the user is logged into the service with no knowledge that their cookie jar has been raided.

Attackers can also steal tokens by positioning themselves between the user and the service with a Man-in-the-Middle (MitM) attack. Publicly available phishing kits like Evilginx2 make it easy to set up phishing sites using prefabricated templates. When an unsuspecting user enters their credentials on a phishing site, Evilginx2 captures the credentials, then steals the access token after the user authenticates with MFA. The user is then redirected from the phishing site to their logged in session on the legitimate site.

In the constantly evolving cyberthreat landscape, token theft is on the rise as a counter to MFA protected accounts. The good news is strong security practices that defend against malware and phishing will also prevent token theft attacks that rely on these methods. Here are some practices that help mitigate the threat of token theft:

• Leverage phishing-resistant MFA. The most widely available implementation of this practice is FIDO/WebAuthn. FIDO authenticators are phishing resistant because they will not work on an illegitimate site; a token can’t be stolen if the user can’t authenticate on a phishing site.
• Keep anti-virus software up to date on all devices. This will minimize exposure to new malware threats.
• An Endpoint Detection and Response (EDR) tool constantly monitors devices for malicious or anomalous behavior, and takes automatic action when a threat is detected (https://www.ibm.com/topics/edr).
• Access to critical applications can be restricted to devices managed by your organization. You can ensure these devices are kept up to date and protected by antivirus/EDR to mitigate malware and phishing threats.
• Conditional access policies reduce the risk of token theft on unmanaged devices. Access to important resources can be restricted based on conditions such as user risk, location, and device platform.
• Reducing session lifetime and token lifetime can minimize the impact of a successful token theft attack. This also increases the chances of detection should the attacker attempt to regain access by stealing another token.
• Finally, user education and a strong organizational security culture go a long way in mitigating cyberattacks. This is especially true for malware and phishing, which often rely on tricking an unsuspecting user into making a mistake.

Additional resources

Don't Clink the Links: Phishing Kits for Fraud

The Dark Side of AI: WormGPT

Security Awareness: FIDO (Fast Identity Online) Authentication

MITRE ATT&CK – Access Token Manipulation: Token Impersonation/Theft