FBI issues new warning for Gmail, Outlook, webmail users
Updated on November 3rd with new reports on password adoption as an alternative to MFA, with new updates to further expand usage by addressing key challenges.
“Cyber criminals gain access to email accounts”, the FBI warned this weekeven when accounts are protected by multi-factor authentication (MFA). The attacks begin when users are tricked into “visiting suspicious websites or clicking on phishing links that download malware to their computer.”
Email access itself comes via cookie theft. Not the devilish tracking cookies we read so much about that caused havoc when Google backtracked on its promise to eliminate them from Chrome. These are session cookies or security cookies or “remember me” cookies. They store credentials so you don’t have to sign in every time you visit a website or access one of your accounts.
The threat affects all email platforms that provide web connections, although Gmail, Outlook, Yahoo and AOL are by far the biggest. The same threat clearly affects other accounts as well, including shopping sites and financial platforms, although now there are often additional protections, especially with financial accounts. MFA is not usually stored in the same way and criminals use other means to steal live passwords.
“Many users on the web are falling victim to cookie-stealing malware,” Google has warned“giving attackers access to their web accounts.” While they are “essential to the modern web… because of their powerful utility,” Google describes security cookies as a “lucrative target for attackers,” and that problem is getting worse.
“Typically, this type of cookie is created when a user clicks the ‘Remember this device’ checkbox when logging in to a website,” the FBI explains. “If a cybercriminal obtains the Remember-Me cookie from a user’s recent web email login, they can use that cookie to log in as the user without needing their username, password, or multi-factor authentication (MFA).
Cookie theft has been in the news a lot recently, with ongoing efforts by Google and others to prevent such theft from Chrome and other browsers. These latest such initiatives focus on linking cookies to devices and applications, making theft useless. But we are at an early stage and Cookie theft remains a significant threat.
“Cybercriminals are increasingly focused on stealing Remember-Me cookies and using them as the preferred way to access a victim’s email,” the FBI warns, but provides four recommended actions “to protect yourself from the risk:
- Regularly clear cookies from your internet browser.
- Recognize the dangers of clicking the “Remember me” checkbox when logging into a website.
- Do not click on suspicious links or websites. Only visit websites with a secure connection (HTTPS) to protect your data from interception in transit.
- Periodically monitor recent device connection history from your account settings.”
As always, if you believe you may have been a victim of this or any other cybercrime, you can report it to the FBI’s Internet Complaint Center (IC3) at www.ic3.gov.
The FBI’s latest warning about MFA compromises should in no way discourage users from setting up MFA on all accounts where it’s available. It’s the best step you can take to secure your accounts. And combined with taking good care of what you download, install, click and open, it can keep you safe.
The importance of MFA was neatly summed up by the response to Amazon finally adding MFA to its enterprise email service. “Better late than never seems to be the justification behind the nearly decade-long delay,” it said TechRadar on Friday, “especially for one of the most basic forms of authentication that has been standard practice for several years,” warning “there are still barriers to enabling MFA for WorkMail, as it will not be enabled by default and system administrators will you must manually add each user to the AWS Identity Center.”
The Registry echoed that sentiment. “The fact that a security service as simple as MFA was missing something it so desperately needs – an enterprise email platform run by one of the largest (if not the The biggest) cloud service providers in the world – it’s shocking, frankly.”
Any MFA is better than none—period. But there is clearly a spectrum of security and not all solutions are the same. Passwords are best when they’re available—they tie credentials to device security, similar to a physical security key without the hassle of using an actual physical security key. But if all you have available is a one-time SMS code, then it’s better to use it than to leave your security code alone—every time.
The good news for users is that passwords are catching fire. According to a new report by FIDO Alliance“in the two years since passwords were announced and made available for consumer use, password awareness has increased by 50%, from 39% known in 2022 to 57% in 2024.” Access keys are by far the easiest alternative to a username and password combination, and MFA should always be used when available. They stop unauthorized access to an account unless an attacker has full control of one of your secure devices, which is essentially supposed to be you.
“The majority of those familiar with passwords allow technology to log in,” says FIDA. “Meanwhile, while passwords remain the most common way to sign in to an account, usage overall has declined as alternatives become more available.”
The increase in password adoption
Aiding the security benefits of access keys, FIDO also highlights the benefits for brands and service platforms that now offer it as an option. “42% of people left a purchase at least once in the past month because they couldn’t remember their password,” he says, adding that “this rises to 50% for 25-34 year olds compared to just 17% for over 65,’ which raises a different issue.
Echoing the FBI’s warning, FIDO also says that “more than half of consumers reported an increase in the number of suspicious messages they see and an increase in the sophistication of fraud, due to artificial intelligence. Younger generations are even more likely to agree, while older generations remain unsure how AI affects their online safety.”
FIDO’s new report shows that password adoption is higher when coupled with the ease of securing biometric devices. This seamless approach to securing one’s identity is the same factor behind the viral rise of Apple Pay, Google Pay and other digital wallets.
While passwords are primarily aimed at the consumer/home market, there are now moves to expand this to businesses as well. As 9 to 5 mac just mentioned, “the FIDO Alliance took a big step toward improving the usability of access keys by introducing two new draft specifications: the Credential Exchange Protocol (CXP) and the Credential Exchange Format (CXF). These proposals are designed to solve a key issue slowing enterprise key adoption: vendor lock-in.”
These new specifications should create a “standardized, secure way to transfer passwords between different password managers without removing and re-adding from each platform,” which matters more to businesses than users who are already locked into the password management ecosystem iPhone, Android access or password.
“By standardizing how passwords are managed and transferred,” 9 to 5 mac suggests, “the new specifications will help businesses and consumers have more freedom to choose the best tools for their needs without being locked into a single ecosystem. Over time, this will lead to wider password adoption, further driving the shift away from passwords, often the weakest link in personal and organizational security.”
