• General Discussion
  • FBI Warning: Hackers could take over your email account by stealing cookies, even with MFA
2024/11/11 12:12:10
Cool GTX
Warning: Hackers could take over your email account by stealing cookies, even if you have MFA

https://www.malwarebytes....ntent=stealing_cookies

(Excerpt / copy of page)
 
Posted: November 5, 2024 by Pieter Arntz

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up.
Here’s how it works.


Most of us don’t think twice about checking the “Remember me” box when we log in. When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID. This session ID is stored in a session cookie (or a “Remember-Me cookie” as the FBI calls it) on your browser, which is typically valid for 30 days.
Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system.


If someone steals the session cookie, they can log in as you—even if you have MFA enabled.
This is particularly relevant for email handlers that have an online—webmail—component. This includes major players like Gmail, Outlook, Yahoo, and AOL.


With access to your email account, a cybercriminal can find a lot of useful information about you, such as where you bank, your account numbers, your favorite shops, and more. This information could then be used for targeted cyberattacks that mention information that’s relevant to you only, leaving you more likely to fall for them.


Cybercriminals could use your account to spread spam and phishing emails to your contacts. And perhaps most worrying of all, once an attacker is in your email account they can reset your passwords to your other accounts and login as you there too.
How do these criminals get their hands on your session cookies? There are several ways.


On very rare occasions, session cookies can be stolen by you visiting a malicious website, or via a Machine-in-the-Middle (MitM) attack where a cybercriminal can intercept traffic and steal cookies if they’re not protected by HTTPS on an unsecured network.
However, session cookies are usually stolen by malware on the your device. Modern information-stealing malware is capable of, and even focuses on, stealing session cookies as part of its activity.  
How to keep your email account safe
There are a few things you can do to stay safe from the cookie thieves:
  • Use security software on every device you use.
  • Keep your devices and the software on them up to date, so there aren’t any known vulnerabilities on them.
  • Decide whether you think it’s worth using the Remember me option. Is convenience worth the risk in this situation?
  • Delete cookies, or—even better—log out when you are done. That should also remove or invalidate the session ID from the server, so nobody can use it to log in, even if they have the session cookie.
  • Only visit sites with a secure connection (HTTPS) to protect your data from being intercepted during transmission.
  • For important accounts regularly check the log in history where you can see which devices logged in when and from where. You should be able to find this option in your account settings.

-----------------(end excerpt) ----------------------------
 
 
Bad actors don't Rest & neither should you, when it comes to Security
2024/11/11 23:06:33
Synapt
FBI is like 20 years late to the game on this warning.  While yes, this is technically a possibility, just about every backend language and framework have had mitigations against it being as simple as just copying a session ID for ages (like some form of either IP tied association, browser details, etc).  Like you generally have to REALLY screw **** up to a wildly crazy configuration to open yourself up to session hijacking.
 
That said, with almost everything being https by default anymore (and I think most browsers do https-only by default these days?), MITM attacks to get it as well are pretty unlikely unless, again, going outside the realm of default configurations.
 
So your main concern ultimately is someone getting access directly to your system to access the session data directly on it, but at that point you're already pretty royally screwed anyways lol.
2024/11/12 08:32:47
Cool GTX
I like using my VPN to keep the information secure in addition to the many things listed above
 
Hotels, coffee shops, libraries & airports ...... Any free WiFi ........... are always a security issue
2024/11/12 09:12:30
Synapt
Cool GTX
I like using my VPN to keep the information secure in addition to the many things listed above
 
Hotels, coffee shops, libraries & airports ...... Any free WiFi ........... are always a security issue




Yeah I mean if you're using public/open wifi there are certainly more risks involved.  For the most part, still using https (or whatever other protocol relevant TLS connections for stuff) still should keep you in good shape, but you do potentially open yourself to local network attacks for sure.  Usually why I just tether my laptop to my cellphone for mobile data when I'm out anywhere rather than use open wifi lol.
2024/12/09 21:58:16
vB1OS
Would having my own email server be more secure for accounts? 

Use My Existing Forum Account

Use My Social Media Account