NEW YORK, Nov 3: In a recent warning, the FBI alerted users that cybercriminals are increasingly gaining access to email accounts, even those protected by multifactor authentication (MFA). The attacks typically begin when users are tricked into visiting suspicious websites or clicking on phishing links that download malicious software onto their computers.

The method of accessing email involves cookie theft—not the tracking cookies commonly discussed, but rather session or security cookies, often referred to as “remember me” cookies. These cookies store user credentials, enabling seamless access to accounts without repeated logins.

This threat affects all email platforms that offer web logins, with Gmail, Outlook, Yahoo, and AOL being the most significant targets. The same cookie theft threat extends to other online accounts, including shopping and financial platforms, though financial accounts generally have additional protections. Notably, MFA codes are not stored in the same manner as cookies, making them less susceptible to theft through this method.

“Many users across the web are victimized by cookie theft malware,” Google warned, emphasizing that attackers can gain access to web accounts through this vulnerability. While security cookies are essential to the functionality of the modern web, Google has highlighted them as a “lucrative target for attackers,” and the situation appears to be worsening.

According to the FBI, this type of cookie is generated when a user selects the “Remember this device” option during login. If a cybercriminal acquires the Remember-Me cookie from a user’s recent login, they can sign in as the user without needing the username, password, or MFA.

In response to this growing threat, the FBI has outlined four recommended actions to help users protect themselves:

Be aware of the risks associated with clicking the “Remember Me” checkbox during login.

Avoid clicking on suspicious links or visiting untrustworthy websites. Always ensure the sites you visit have a secure connection (HTTPS) to safeguard your data during transmission.

Periodically check the recent device login history within your account settings.

Users who suspect they may have fallen victim to cookie theft or other cybercrimes are encouraged to report incidents to the FBI’s Internet Crime Complaint Center (IC3).

The FBI's latest warning regarding MFA vulnerabilities should not deter users from implementing MFA on all available accounts, as it remains the most effective measure to secure online accounts. Alongside diligent practices regarding downloads and links, MFA can significantly enhance user safety.

The importance of MFA has been underscored by recent developments, such as Amazon's addition of MFA to its enterprise email service. TechRadar noted the delay of nearly a decade in implementing this basic security feature, which has been standard practice for years. The report warned that there are still challenges in enabling MFA for WorkMail, as it will not be activated by default and system administrators must manually add each user to the AWS Identity Center.

Similarly, The Register criticized the absence of such a fundamental security measure from a major enterprise email platform run by one of the largest cloud service providers.

While any form of MFA is better than none, it is crucial to recognize the varying levels of security. Passkeys offer the highest level of protection, linking credentials to device security without the hassle of physical keys. However, if the only option is an SMS one-time code, using that is still significantly better than relying solely on a password for security.