.png)
6 days ago
3
A VPN vendor says billions of stolen cookies currently on sale either on dark web or Telegram-based marketplaces remain active and exploitable.
More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country.
Adrianus Warmenhoven, cybersecurity advisor at NordVPN, said: "Cookies may seem harmless, but in the wrong hands, they're digital keys to our most private information. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide.
"Most people don't realize that a stolen cookie can be just as dangerous as a password, despite being so willing to accept cookies when visiting websites, just to get rid of the prompt at the bottom of the screen.
"However, once these are intercepted, a cookie can give hackers direct access to all sorts of accounts containing sensitive data, without any login required."
The vast majority of stolen cookies (90.25 percent) contain ID data, used to uniquely identify users and deliver targeted ads.
They can also contain data such as names, home and email addresses, locations, passwords, phone numbers, and genders, although these data points are only present in around 0.5 percent of all stolen cookies. The risk of ruinous personal data exposure as a result of cookie theft is therefore pretty slim.
Aside from ID cookies, the other statistically significant type of data that these can contain are details of users' sessions. Over 1.2 billion of these are still up for grabs (roughly 6 percent of the total), and these are generally seen as more of a concern.
From FBI-led, Sesame Street-inspired takedowns of stolen cookie marketplaces, to Big Tech authentication overhauls, the threat of stolen session cookies is one that is actively being addressed by the tech industry.
Cybercriminals can feasibly take these session cookies and pose as others on web pages, authenticate into services without the need for credentials, and in many cases this can also bypass MFA.
Stolen session cookies are therefore highly attractive to cybercrims, who can use them to gather information from email accounts, banking apps, corporate systems, and more.
They can also be a boon to ransomware crooks who can move laterally around a potential victim's network if they use cookie-based SSO for authentication, which then allows crims access to sensitive business data, and potentially higher privileges.
The most common way crooks can get hold of these cookies is through infostealer malware, with Redline being prevalent (it was linked to 44 percent of the total cookies researchers found).
The Vidar, LummaC2, and Meta infostealers took the second, third, and fourth spots on the list, although the latter two, as well as Redline, have been the subject of successful law enforcement disruption efforts.
Access to these malware strains is relatively affordable, given the profit that can be made from hoovering up users' digital valuables. Cops said crooks could purchase Lumma for as little as $250, while Redline and Meta were going for as little as $150 for the most basic tier of features.
However, while the threat presented by stolen cookies is severe, it should be said that if a user's PC, or one belonging to an organization, is infected with infostealer malware, by that point it could be argued the threat that malware presents is arguably greater than the cookies, which are statistically unlikely to contain usable session data.
- Don't click on that Facebook ad for a text-to-AI-video tool
- New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
- Bosses weren’t being paranoid: Remote workers more likely to start own biz
- AI models routinely lie when honesty conflicts with their goals
NordVPN's first piece of advice for those looking to mitigate the threat of stolen cookies might irk Europeans as it relates to the long-lived frustration of website cookie banners.
"Think twice before accepting the cookies," the company said, which many would argue would be easier if it weren't so onerous to do so every day.
"The first step towards making yourself safer is understanding that not all cookies are necessary, and just because you can accept all cookies, doesn't mean you have to. Whenever possible, reject unnecessary cookies, especially third-party ones or those tracking your behaviour. Most websites still function fine without them."
Keeping devices updated with the latest security fixes is naturally the way to go if preventing infostealer infections is the priority, which it should be. Cleaning up browser histories and purging unnecessary cookies as part of that process is also a good idea.
"Many users don't realize that active sessions may persist even after they close their browser," said Warmenhoven. "Clearing this data helps reduce the window of opportunity for unauthorized access. Lastly, always check the privacy settings on your online accounts to ensure you only share information with trusted services." ®
