Intelligent CISO Issue 59 - Page 75

account using a victim ’ s email address as an identifier . When the victim tries to create an account , they are notified that it has already been created and are prompted to change their password . However , this does not prevent the attacker from continuing to gain access as the service allows multiple simultaneous sessions .
• Trojan identifier attack : This method involves an attacker generating an identifier on the new account and then creating a secondary login with real customer data , such as an email address or phone number . Even if the victim tries to log in by recovering their password , the attacker will remain active in the account as a trojan .
• Non-verifying IdP attack : These types of attacks involve cybercriminals creating their own identity provider ( IdP ) and opening an account using its federated path . They then add a user by using that user ’ s email address . When the victim then tries to create an account , the system reminds them that it already exists . When recovering their password , the attacker gains access through the federated account .
• Unexpired email change attack : Using this method , a cybercriminal generates an account using the victim ’ s email address without waiting for verification and then changes it to another one under www . intelligentciso . com