Skip to main content

Warning: Hackers could take over your email account by stealing cookies, even if you have multi-factor authentication (MFA)

 



The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up.

Here’s how it works.

Most of us don’t think twice about checking the “Remember me” box when we log in. When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID. This session ID is stored in a session cookie (or a “Remember-Me cookie” as the FBI calls it) on your browser, which is typically valid for 30 days.

Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system.

If someone steals the session cookie, they can log in as you—even if you have MFA enabled.

This is particularly relevant for email handlers that have an online—webmail—component. This includes major players like Gmail, Outlook, Yahoo, and AOL.

With access to your email account, a cybercriminal can find a lot of useful information about you, such as where you bank, your account numbers, your favorite shops, and more. This information could then be used for targeted cyberattacks that only mention information relevant to you, leaving you more likely to fall for them.

Cybercriminals could use your account to spread spam and phishing emails to your contacts. And perhaps most worrying of all, once an attacker is in your email account they can reset your passwords to your other accounts and login as you there too.

How do these criminals get their hands on your session cookies? There are several ways.

On very rare occasions, session cookies can be stolen by you visiting a malicious website, or via a Machine-in-the-Middle (MitM) attack where a cybercriminal can intercept traffic and steal cookies if they’re not protected by HTTPS on an unsecured network.

However, session cookies are usually stolen by malware on the your device. Modern information-stealing malware is capable of, and even focuses on, stealing session cookies as part of its activity.  

How to keep your email account safe

There are a few things you can do to stay safe from the cookie thieves:

  • Use security software on every device you use.
  • Keep your devices and the software on them up to date, so there aren’t any known vulnerabilities on them.
  • Decide whether you think it’s worth using the Remember me option. Is convenience worth the risk in this situation?
  • Delete cookies, or—even better—log out when you are done. That should also remove or invalidate the session ID from the server, so nobody can use it to log in, even if they have the session cookie.
  • Only visit sites with a secure connection (HTTPS) to protect your data from being intercepted during transmission.
  • For important accounts regularly check the log in history where you can see which devices logged in when and from where. You should be able to find this option in your account settings.

Comments

Popular posts from this blog

Digital Payments Lead the Way Globally: Key Insights from Worldpay Study

According to a recent Worldpay study, digital payments are rapidly becoming the preferred choice worldwide. The research highlights significant shifts in consumer behavior and payment preferences, driven by technological advancements and the growing acceptance of cashless transactions. Key findings from the study reveal that digital payments now account for a substantial portion of global transactions. Mobile wallets, contactless payments, and online banking are gaining traction, reflecting consumers' desire for convenience and speed. This trend is especially prominent in regions like Asia Pacific, where mobile payment adoption is leading the charge. The study also emphasizes the importance of security in fostering consumer trust in digital payments. As fraud concerns continue to rise, businesses must prioritize robust security measures to protect customer information and enhance the payment experience. Moreover, the transition to digital payments is not just about c...

Embracing ARMs And Battling Members’ Misconceptions

With adjustable-rate mortgages back in fashion, credit unions are educating members about the ins and outs of these products, dispelling misunderstandings along the way. With housing stock low, home prices high, and interest rates showing no signs of coming down, many credit unions are turning to adjustable-rate mortgages to help would-be borrowers find a home. ARM loans gained a bad reputation after the 2008 housing crisis and the Great Recession, but credit union leaders insist that with the right education and a clear understanding of how the product works, adjustable-rate mortgages can be an ideal solution for would-be homeowners. The Big Picture53% of those who don’t own a home believe homeownership is out of reach, according to a study from Northwestern Mutual . 58% of millennials feel this way, but roughly half of baby boomers and Gen X share the sentiment. According to Federal Reserve data, the average price of a home topped $510,000 at the end of 2024. That’s 32% higher than f...

Jim Nussle To Retire From America’s Credit Unions

  WASHINGTON—America’s Credit Unions President and CEO Jim Nussle plans to retire from the trade association, ACU announced. ACU said Nussle did not specify an exact date for his retirement but rather expressed his desire to provide the ACU board the “full flexibility” to conduct a search for a CEO over the next several months on a timeline of their choosing, and to ensure his ongoing efforts to champion the organization’s advocacy agenda.   Jim Nussle “Serving credit unions is a deep personal privilege. After a long career in advocacy from both sides of the policy making table, leading CUNA and the honor of helping to create and lead America’s Credit Unions, it is soon time for me to pursue new interests in retirement. My announcement today is intended to provide the board the time to conduct a thorough national search to find the next leader for the Association,” Nussle said.  “My full and ongoing focus will be on our intensive credit union advocacy efforts to prot...

Havoc.’ ‘Debacle.’ Analysts See Rough Road Ahead for Autos With Tariffs

WASHINGTON–What’s known: should President Trump’s tariffs remain in place, new and used vehicle prices are going to get even higher. The unknown: Will members stop buying cars, move from new to used, or given how many buy cars according to payment, move to less-expensive models? The tariffs also may create challenges for credit unions that serve some autoworkers. All of those questions and more remain much in flux with analysts predicting  auto prices could rise by $5,000 to $10,000 per vehicle and wreak havoc on the market as the result of 25% import tariffs on vehicles and auto parts.   As the CU Daily reports separately, however, Black Book believes automakers will spread out the incremental cost of tariffed vehicles across their entire showroom to retain relative vehicle transaction prices. Still, the company expects tariffs to push the average transaction price on vehicles to more than $50,000. ‘A Debacle’ “The tariffs are a debacle of epic proportions for the a...

Zelle Discontinues Standalone App, Shifts Users to Bank and Credit Union Platforms

SCOTTSDALE, Ariz.—The standalone Zelle app is no longer available for sending or receiving money. Users are now encouraged to enroll through a participating bank or credit union’s app to continue using the peer-to-peer payment service, PYMNTS reported. Zelle had announced in an Oct. 31  blog post  that it would make this change, and it completed the move as of Tuesday (April 1), according to a frequently asked questions  page  on its website PYMNTS said/ “More than 2,200 banks and credit unions across the U.S. now offer Zelle through their mobile app or online banking site,” the company said on the FAQ page. “As a result of this growth, in October of 2024, we announced that we are removing the ability for users to send or receive money using the Zelle app starting April 1, 2025.” PYMNTS noted that the page advised users of the Zelle app to visit a “find your bank” page on its website to see if their bank or credit union offers Zelle; to...