Home > All, Security Issues, Security News > New zero-day cookiejacking attack against Internet Explorer

New zero-day cookiejacking attack against Internet Explorer

Rosario Valotta has published a new 0-day attack against all Internet Explorers on all Windows boxes. It’s a variant of cookiejacking; that is, stealing a victim’s cookies. If you can steal the cookies, you can steal the session key and access whatever the user is accessing.

Now I’m not qualified to give a technical comment on this attack. Others will do that soon enough. But what I do want to say is that Rosario’s attack still depends on social engineering. It still requires you do something that, if you knew what it was, you wouldn’t. His technique involves a disguised ‘dragging’ process. The victim is led to believe he is dragging something innocuous, while in reality he is opening the door to his computer.

Rosario’s example includes a simple 4-piece jigsaw of an attractive lady, with the tag line: ‘Solve the jigsaw to watch Denise naked’

puzzle

Solve the jigsaw to watch Denise naked

That’s the social engineering. It looks pretty innocuous, and gives (the men among us) a reward at the end. But that’s the disguised dragging. Do it and you’re got.

puzzle2

Nearly there. Nearly owned.

Sooner or later most 0-day attacks are patched. Like I said, I cannot comment on the technical detail of Rosario’s attack – but my point is that our defence against almost any attack is to avoid being socially engineered. It’s not easy. But the offer of naked pictures is invariably a trick.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s