Cookie Theft: A Growing Threat to Email Security, FBI Warns

NEW YORK, November 3: In a recent alert, the FBI alerted users that cybercriminals are increasingly gaining access to email accounts, even those protected by multi-factor authentication (MFA). The attacks typically begin when users are tricked into visiting suspicious websites or clicking on phishing links that download malware to their computers.

The method of accessing email involves cookie theft – not the commonly discussed tracking cookies, but session or security cookies, often referred to as “remember me” cookies. These cookies store user login information and allow seamless access to accounts without repeated logins.

This threat affects all email platforms that offer web logins, with Gmail, Outlook, Yahoo and AOL being the top targets. The same threat of cookie theft extends to other online accounts, including shopping and financial platforms, although financial accounts generally have additional protections. In particular, MFA codes are not stored in the same way as cookies, making them less vulnerable to theft through this method.

“Many users across the web are falling victim to cookie-stealing malware,” Google warned, emphasizing that this vulnerability could allow attackers to gain access to web accounts. While security cookies are essential to the functionality of the modern web, Google has highlighted them as a “lucrative target for attackers,” and the situation appears to be getting worse.

According to the FBI, this type of cookie is generated when a user selects the “Remember this device” option when logging in. If a cybercriminal obtains the Remember Me cookie from a user's last login, they can log in as that user without requiring a username, password, or MFA.

In response to this growing threat, the FBI has outlined four recommended actions to help users protect themselves:

Regularly delete cookies from your internet browser.

Be aware of the risks associated with checking the “Remember me” checkbox when logging in.

Avoid clicking on suspicious links or visiting untrustworthy websites. Always ensure that the websites you visit have a secure connection (HTTPS) to protect your data during transmission.

Regularly check your current device login history in your account settings.

Users who suspect they have been victims of cookie theft or other cybercrimes are asked to report incidents to the FBI's Internet Crime Complaint Center (IC3).

The FBI's recent warning about MFA vulnerabilities should not discourage users from implementing MFA on all available accounts, as it remains the most effective measure for securing online accounts. In addition to careful download and link practices, MFA can significantly improve user security.

The importance of MFA has been underscored by recent developments, such as Amazon's addition of MFA to its corporate email service. TechRadar found that implementation of this basic security feature, which has been common practice for years, has been delayed by almost a decade. The report warned that there are still challenges in enabling MFA for WorkMail because it is not enabled by default and system administrators must manually add each user to AWS Identity Center.

Similarly, The Register criticized the lack of such a basic security measure at a major corporate email platform operated by one of the largest cloud service providers.

Although any form of MFA is better than none, it is important to understand the different levels of security. Passkeys provide the highest level of protection, linking credentials to device security without the hassle of physical keys. However, if the only option is an SMS one-time code, using this is still significantly better than relying solely on a password for security.