Pre-hijacking: the latest scam running amok, in countries like Brazil
Imagine the following situation: you wake up one fine morning, open your inbox and find an e-mail from some site thanking you for registering the previous night. It’s a really odd situation that would naturally stir anyone’s curiosity. How would you react? Conclude you had been sleepwalking? Guess a family member had used your device while you slept?
The truth is that most web users, due to nothing more than curiosity, would try to log in to the platform. But... how can you do that if you don’t have the password used to sign up? Well, it’s simple: just click on the recover password button to gain access to the account. Once authenticated, the user will certainly nose around the website in question, and, if interested in the functionalities, may even update the profile with more personal information.
Guess what? If you follow all the steps above, you’d be another victim of a new scam raging online. It’s been dubbed ‘pre-jacking’. This is a malicious maneuver whereby a cybercriminal takes over an account that you haven’t yet created. And it’s a lot more common than you’d imagine, with reports of victims worldwide, including in Brazil.
Stealing what you don’t have (yet)
The concept behind pre-jacking is really simple, but also really tricky. Firstly, the fraudster uses e-mail addresses leaked through other incidents to create accounts on random websites. The victim, upon receiving notice of a new account created with their e-mail address, attempts to log in, purely out of curiosity. To do so, the person will have to redefine the password using the password recovery resources, with a high chance of entering a combination already used for other web services.
At this point, the fraudster uses a structural flaw on many websites: allowing two people to remain logged in to the service simultaneously on two separate devices. The criminal then steals the password you’ve just registered and will be able to use it in the future to try to hack your accounts. If the victim uses a password used for other services, the criminal will certainly be successful.
As we mentioned previously, pre-jacking has the potential to become even more dangerous if, for some reason, the victim becomes interested in the website on which the criminal registered them and begins to use it normally, updating the profile with more personal information and sometimes even providing bank details. All of this information will then be at the disposal of the hacker, who can then effortlessly steal it all by logging into the account.
Easy to avoid
As you can see, pre-jacking is a tricky but rather simple scam, relying above all on the curiosity and ingenuity of web users to attain success. If you get an e-mail confirming the creation of an account on a website that you don’t recall, simply ignore it or use the password recovery resource to register a random password and then immediately delete the profile.