“Cybercriminals are gaining access to email accounts,” the FBI warned this week, even when accounts are protected by multifactor authentication (MFA). Attacks begin when users are lured into “visiting suspicious websites or click on phishing links that download malicious software onto their computer.”
Email access itself comes by way of cookie theft. Not the devilish tracking cookies that we read so much about, and which caused havoc when Google reversed its promise to eradicate them from Chrome. These are session cookies or security cookies or “remember me” cookies. They store credentials to stop you hacking to log in every time you visit a website or access one of your accounts.
The threat affects all email platforms providing web logins, albeit Gmail, Outlook, Yahoo and AOL are by far the largest. The same threat clearly impacts other accounts as well, including shopping sites and financial platforms, albeit there are now often additional protections in place, especially with financial accounts. MFA is not usually stored in the same way, and criminals use other means to steal live codes.
“Many users across the web are victimized by cookie theft malware,” Google has warned, “giving attackers access to their web accounts.” While “fundamental to the modern web… due to their powerful utility,” Google describes security cookies as “a lucrative target for attackers,” and that problem is getting worse.
“Typically, this type of cookie is generated when a user clicks the ‘Remember this device’ checkbox when logging in to a website,” the FBI explains. “If a cybercriminal obtains the Remember-Me cookie from a user’s recent login to their web email, they can use that cookie to sign-in as the user without needing their username, password, or multifactor authentication (MFA).”
Cookie theft has been much in the news recently, with ongoing efforts from Google and others to prevent such thefts from Chrome and other browsers. These latest such initiatives focus on linking cookies to devices, rendering thefts useless. But we’re at an early stage and cookie theft remains a major threat.
“Cybercriminals are increasingly focused on stealing Remember-Me cookies and using them as their preferred way of accessing a victim’s email,” the FBI warns, but provides four suggested actions “to protect yourself from putting yourself at risk:
- Regularly clear your cookies from your Internet browser.
- Recognize the risks of clicking the ‘Remember Me’ checkbox when logging into a website.
- Do not click on suspicious links or websites. Only visit sites with a secure connection (HTTPS) to protect your data from being intercepted during transmission.
- Periodically monitor the recent device login history from your account settings.”
As ever, if you think you may have fallen victim to this or any other cybercrime, you can report it to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov.