Using a new technique involving the pre-hijacking of an account before it is actually registered by the victim, threat actors could get access to the online accounts of users. Many online services may be susceptible to “account pre-hijacking,” a new class of assaults that can be exploited to acquire access to a targeted account.
Account pre-hijacking was investigated by freelance researcher Avinash Sudhodanan and Microsoft Security Response Center employee Andrew Paverd. The study was supported by a grant from Microsoft that provided up to 75,000 USD for concepts to enhance the security of its identity systems.
Many attacks involve compromised accounts, but the attacker takes control of the targeted accounts after they are created. In pre-hijacking attacks, the attacker predicts which online service the victim will use and does particular behaviours prior to the victim creating an account.