According to cyber security experts, new malware has been developed that can retain your credentials even after the accounts have been reset and passwords changed. A recent zero-day attack resulted in hackers re-accessing compromised Google accounts even after the victims changed their passwords.
This malware enables attackers to acquire users’ web browser sessions via a malicious download or link. The security experts discovered that the exploit was based on an undocumented Google OAuth endpoint, known as “MultiLogin”. This endpoint’s purpose is to sync Google accounts across numerous devices.
Enterprises in South Africa should be aware of recent developments in the cyber security sphere as their employees may be targeted by similar phishing attacks and malware. Hackers target employees as they are often the weakest link in the cyber security chain.
This means that regular user awareness training sessions are required for all employees, regardless of their seniority and expertise. New malware is being developed at a rapid rate, so even IT managers and CEOs need to stay abreast of threat advancements and new hacking techniques.
How the malware was discovered
The team of researchers reverse-engineered the information-stealing malware and discovered that the account IDs and authentication tokens were retrieved from a table of WebData in the Google Chrome browser.
This table includes a service and an encrypted token. The attackers decrypt the token with a key located in Chrome’s Local State file in the UserData directory. As a result, the token pairs can be used in conjunction with MultiLogin to regenerate Google service cookies for account logins even after passwords have been reset.
What this essentially means is that employees who access Google on multiple devices are at risk, as their browsing information and cookies can still be retrieved even when their passwords have been changed.
How to prevent malware installation
Google is aware of this malware and others like it that try to steal tokens. The internet giant has confirmed that they are monitoring the developments and will release updates as necessary. According to Google, the stolen information can be invalidated if employees log out of the compromised device and remotely revoke permissions to the Chrome browser.
Furthermore, Google strongly advises users to turn on Enhanced Safe Browsing in Chrome to prevent malicious links from being downloaded in the first place. Employees also need to constantly keep cyber security in mind and avoid clicking on any links from unknown email addresses or random websites.
Working with a renowned cyber security partner
For enterprises that are concerned about cyber security, finding a reputable cyber security provider is essential. SEACOM is a well-known service provider in South Africa that offers cyber security services designed to protect endpoints (computers and similar devices), servers, networks and IT infrastructure from various cyber threats.
These solutions improve the cyber security posture of enterprises and large companies in South Africa. Business leaders should also seriously consider user awareness training sessions at least once a year for all employees. This will keep cyber security at the forefront of their minds and equip employees with the knowledge and tools to identify potential threats before it’s too late.
___
Connect with the world and read about the latest news and current affairs. We share ways to stay abreast of the latest science and technology, as well as breaking news stories that you may need to know about.
Follow us on Facebook, Instagram, LinkedIn and Twitter for more articles, videos and content to keep you inspired.
Mobimeme offers various digital services, including content marketing, SEO, analytics, social media management and expert direction in the digital sphere. Building and growing online audiences for your business is what we do best.