Avoid cookiejacking, the latest Internet Explorer thread and stay safe online from social engineering

Hand stealing cookies

Cookiejacking is a new social engineering technique (security risk) recently discovered by Rosatio Valotta, an Italian Internet security researcher, that may affect all the versions of Microsoft Internet Explorer.

Cookiejacking is a version of an attack type known as clickjacking. This new exploit uses sophisticated techniques similar used with clickjacking to allow an attacker to gain access and steal cookies from your computer. To be a little more clear, this is not an actual attack, for you to be exposed to this security risk certain things needs to take place. A third-party have to set up a malicious Web page and trick you into the attack, for example, you have to be persuaded to perform an action like dragging-&-dropping images or objects. Tricking you to interact with the malicious content is the only way that a hacker can gain access and steal cookies, potentially getting the hold of login names and hashed passwords from Websites that you have logged in before.

According to Microsoft, that is aware of the problem, has said that so far they’ve not seen any widespread attacks related to cookiejacking. And they are working in a soon to be released update for Internet Explorer browser to address the problem.

But as this may affect all versions of Internet Explorer, in its defense Microsoft has also mentioned that all Internet Web browsing software have the potential risk to clickjacking.

As we wait until the release of the update that will solve this problem, there are best practices guidelines that you can follow to stay safe online and avoid cookiejacking, such as:

When in Internet Explorer use the InPrivate Browsing as this feature doesn’t store earlier browsing sessions that will be stored in your computer otherwise. Software vulnerabilities are not the reason for these threads to be successful — it doesn’t matter which Web browsing software you are using–, be always alert.

Remember to always have an anti-virus protection software installed and up to date in your system, like the free Microsoft Security Essentials, and always keep Windows up to date.

Also here is a list of commonly known social engineering scams that you should be able to recognize easily and stay away from:

  • Deal offers that are too good to be true.
  • Bad grammar and misspellings.
  • Somebody is offering money with almost not effort on your part.
  • Pop-up and/or messages alarming you about threads.
  • Donation request for charitable organization right after a disaster that has been in the news.
  • Getting odd messages from friends on social networking sites to participate in games or offers where you have to respond immediately.
  • Anything that looks suspicious, probably it is!

This is a video demonstrating how a malicious Web page can execute cookiejacking:

Remember to always follow best practices guidelines and not only when there is a security risk!

If you have other tips that can help people to stay safe online share them in the comments section. Thanks.

Source Windows Security Blog