|
Getting your Trinity Audio player ready... |
Hackers Are Bypassing MFA To Breach Accounts and Cause Business Email Compromise
This week, the FBI issued a new warning, alerting users of popular email platforms like Microsoft 365, Google Gmail, Outlook, AOL, and Yahoo that cybercriminals are gaining unauthorized access to accounts, even those protected by multifactor authentication (MFA). These attacks often start with users being tricked into visiting malicious websites or clicking on phishing links that download malware onto their devices.
Hackers exploit a method known as cookie theft to gain email access. Unlike tracking cookies used for advertising, these are “session cookies” or “security cookies,” often created when users select “Remember Me” at login. These cookies store authentication details, allowing users to access accounts without logging in repeatedly. Unfortunately, they can be exploited by hackers to bypass MFA and gain direct access to accounts.
The FBI emphasizes that while Gmail, Microsoft 365, Outlook, AOL, and Yahoo are particularly affected, this threat applies to all platforms that use web logins, including online shopping and financial sites. However, financial sites often have additional protections to secure user sessions.
Google has echoed these concerns, highlighting that cookie theft malware can grant attackers easy access to web accounts. While session cookies are essential to the functionality of the modern web, Google has acknowledged they are an attractive target for cybercriminals. The threat has been worsening over time.
According to the FBI, “A ‘Remember this device’ checkbox typically creates these session cookies when users log in to websites. If hackers obtain this cookie, they can use it to access the user’s account without needing a username, password, or MFA.”
Efforts are underway to curb cookie theft, with Google and other companies working on initiatives to tie cookies more securely to specific devices and applications. However, the process is still in its early stages, and cookie theft remains a considerable security risk.
Taking guidance from the FBI and CISA, Petronella recommends the following actions to help users reduce the risk of cookie theft and unauthorized account access.
TAKE THESE ACTIONS NOW:
- Consult your company password policy.
- Use a reputable password manager (ideally with a proximity token) and change passwords as often as possible using complex passwords of at least 20 characters.
- Never reuse passwords
- Consider using more secure passkeys on supported websites or apps
- Use Multifactor Authentication (MFA) everywhere possible and for ALL users
- Regularly clear cookies from your browser.
- Be cautious when selecting the “Remember Me” option on websites.
- Avoid answering calls live. Screen your calls when possible.
- Avoid clicking on any links in emails, text messages or attachments.
- Do no click on QR codes unless you understand the risks and can be sure the destination url is safe
- If using an Apple iPhone, Consider using the Lockdown mode feature
- Avoid clicking on suspicious links or websites, and ensure you visit secure (HTTPS) sites to protect data during transmission.
- Periodically review your account’s recent device login history.
If using Microsoft 365, please review additional recommendations on our blog titled: Top 10 Security Practices for Microsoft 365: Keeping Your Business Safe in the Cloud.
For users who suspect they may have been affected by this or other cyber incidents, Petronella Cybersecurity and Digital Forensics, a licensed firm with over 22 years of experience, offers breach investigation and security risk assessment services. Contact Petronella at 919-601-1601.