This is how online account hijacking works before you sign up

Online account hijacking

One of the main goals of hackers is steal online accounts. For example, social network profiles, bank accounts, email… For this they can use different methods and strategies. Now, is it possible that they can hijack an account before we even sign up? The truth is that yes and we are going to explain what exactly they do to achieve it.

Account theft before registration

This type of attack is known as prior account hijacking. It’s basically just that, stealing an account before it’s even been created. It will allow an attacker to have control of that account in the future, even without knowing what the password is. This can be done in many online services.

What they do exactly is to create an account in a popular online platform, which usually has many users, and uses another person’s email address for it. When the victim creates an account using that email, the attacker will have control. He will be able to access any information that the victim puts in and, later, he will be able to take exclusive control of that account.

First of all you need to access the email account, logically. You need an email that has been previously attacked. You can buy them on the Dark Web, where accounts of all kinds are for sale that have been stolen. After that it will sign up to some popular service where the victim has not created an account yet. You simply have to wait for the victim to eventually create an account there.

The moment the victim decides register on that platform, you will receive a message saying that you already have an account. You’ll have to reset your password and you’ll think it’s a mistake or maybe you created it a long time ago and don’t remember it. The attacker will be notified and can retain access to that account.

Access to the same account

In many cases it is possible login directly from Google. For example a page where you can create an account or enter directly with the Gmail account. Therefore, both can have access to the same account. The attacker could start stealing information, phishing, etc.

The attacker could also create an account using the victim’s email address and keep the session active. Once the victim creates the account and resets the password, the attacker will still be in because the service hasn’t kicked him out.

Another cause is that they use a account that does not verify addresses of e-mail. When the victim registers using the same email, it is possible that both have access to the same account.

Security researchers have tested numerous accounts and found that some popular online services, such as Instagram, LinkedIn, or WordPress, are vulnerable to this technique. Now, what can we do to avoid being victims of this problem? It will be essential to protect the email account at all times. This means that we must have a good password and activate two-step authentication. This will prevent an attacker from stealing an account even before we sign up for a service.