Warning: Hackers Could Take Over Your Email Account by Stealing Cookies, Even if You Have MFA

Summary:

Cybersecurity firm Malwarebytes is warning of hackers using stolen session cookies to bypass multi-factor authentication (MFA) and take over email accounts. “When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID. This session ID is stored in a session cookie (or a ‘Remember-Me cookie’ as the FBI calls it) on your browser, which is typically valid for 30 days,” state researchers. Since the session is active for a duration of 30 days, this means that actors who have access to the session cookie can successfully authenticate to any given site without the need to login.

Email platforms such as Gmail, Outlook, Yahoo, and AOL are frequent targets for cybercriminals. While these platforms offer multi-factor authentication (MFA), the theft of session cookies allows attackers to bypass these security measures with ease. Gaining access to users' email accounts enables cybercriminals to uncover sensitive personal information, such as banking details, account numbers, favorite destinations, etc. This stolen information can be leveraged in future targeted attacks, where attackers reference familiar details to make their lures more convincing and increase the likelihood of deceiving users.

Security Officer Comments:
There are several methods cybercriminals employ to steal session cookies. One technique involves man-in-the-middle attacks, where attackers position themselves between the user and the web server to intercept traffic and capture session cookies—this approach is only effective if the site is not protected by HTTPS. A more common method is phishing, where attackers create fake websites that mimic legitimate company pages to deceive users into entering their login credentials, unknowingly directing them to malicious sites. Additionally, attackers deploy malware, such as information stealers, which are specifically designed to extract cookies from infected systems, including those stored in the user’s web browser.

Suggested Corrections:
There are a few things you can do to stay safe from the cookie thieves:
  • Use security software on every device you use.
  • Keep your devices and the software on them up to date, so there aren’t any known vulnerabilities on them.
  • Decide whether you think it’s worth using the Remember me option. Is convenience worth the risk in this situation?
  • Delete cookies, or—even better—log out when you are done. That should also remove or invalidate the session ID from the server, so nobody can use it to log in, even if they have the session cookie.
  • Only visit sites with a secure connection (HTTPS) to protect your data from being intercepted during transmission.
  • For important accounts regularly check the log in history where you can see which devices logged in when and from where. You should be able to find this option in your account settings.
Link(s):
https://www.malwarebytes.com/blog/n...ount-by-stealing-cookies-even-if-you-have-mfa