FBI Warns of Cookie Theft Leading to Stolen Email Accounts
November 6, 2024
Recently, the FBI issued a warning about cybercriminals increasingly using stolen browser cookies to bypass multi-factor authentication (MFA). They specifically pointed out the theft of said cookies for AOL, Gmail, Outlook, and Yahoo email users. However, don’t be fooled by that. Anyone storing cookies for any website, email or favorite online shopping websites are at risk.
What are cookies? These are little pieces of information about you that store session information such as your login information, shopping cart products, or whatever else the website needs to prevent you from having to log in over and over and over again. You may know this process by the “remember me” checkbox. While convenient, it also leaves you at risk for theft.
Once attackers obtain these morsels of goodness—often by infecting devices with malware or through phishing—they can hijack sessions to impersonate the victim, sidestepping the need for MFA.
The FBI stressed the importance of robust cybersecurity practices to combat these attacks. After all, getting access to your email is valuable to an attacker, especially if you use it to receive your one-time access codes for websites. In addition to that, they can use your email to send out phishing email to your contacts.
The FBI tips include:
Clearing browser cookies often. Consider doing this at the end of the day; but at a minimum do it on a regular basis. While a bit cumbersome to re-enter the credentials, it could save you from a cookie sugar high. Better yet, consider not allowing the browser to remember them at all.
- They also recommended using additional security measures, such as not clicking on suspicious links or websites. This often leads to malware landing on your device a la phishing.
- Check for the HTTPS, indicating a secure connection, to protect your data from being intercepted during transmission.
- Even though it’s not foolproof, enable MFA for all websites when available. It may not guarantee your security fully, but it is a Cookie Monster sized help.
- Consider using passkeys rather than passwords. Many sites are adopting this new technology and using it avoids the need for entering your password multiple times. While again, not 100% secure, it makes it even more difficult for an attacker to get access to your accounts.
The FBI encourages anyone who is a victim of this to report it to the Internet Crimes and Complaint Center (IC3). There is a link for just that on the IC3 website.
SUBSCRIBE TO WEEKLY NEWSLETTER
