“Remember Me” Cookies Under Exploit in Account Takeover Attempts

The U.S. Federal Bureau of Investigation has issued a new warning around the cyber criminal theft of “remember me” cookies.

What’s Happening

Cyber criminals are directing unsuspecting individuals to fraudulent web pages, where they unwittingly click on a phishing link or scroll over zero-click code that launches a malicious script.

The malicious script then steals “remember me” cookies from devices, allowing for cyber criminal account access and takeovers to occur.

Through this method of operation, cyber criminals can gain access to email accounts, financial accounts and other repositories of sensitive and monetarily valuable data.

For an enterprise, this could spell disaster.

The Dangers: In-Depth

Much like a train station, email accounts function as centralized hubs through which transactional activities occur. This includes password resets. 

Password reset codes and links are typically sent to email accounts – whether for banking, LinkedIn, or the corporate Netflix account.

“Remember me” cookie access to a Gmail account could potentially provide cyber criminals with unfettered billing and payment capabilities, resulting in immediate financial losses. Or, cyber criminals could plaster an organization's LinkedIn page with offensive images/text.

And this is just the beginning...

Worse yet, once cyber criminals access a given email account, they can extract the contact list and lob threats at the victim’s contacts; thereby expanding the scope of the attack.

Combating the Cookie Trends

The “remember me” cookie exploitation technique, as observed by the FBI, renders multi-factor authentication ineffective. However, there are other means of preventing deeply damaging and distressing "remember me" email threats.

Experts advocate that those responsible for Gmail and other types of email accounts proceed with the following steps:

1. Implement cookie management policies. On behalf of corporate accounts, establish policies for cookie management. Include the use of session cookies, rather than persistent cookies, where possible, as this reduces the lifespan of potentially exploitable cookies.
   
   
2. Monitor and review access logs. Pursuing this practice will enable your organization to identify unusual activity.
   
   
3. Comprehensive cyber security solutions. Leverage threat prevention technologies that can stop drive-by-downloads and the stealthiest of phishing attempts.
   
   
4. Phishing prevention technologies. Implement technologies that will block malicious URLs, and thereby safeguard users.
   
   Look for email security solutions with click-time protection, which utilizes security engines for URL inspection. Get a demo here. 
   
   
5. Implement passkeys. Passkeys can substantially limit the impact of phishing attacks, providing stronger protection than traditional account authentication measures.
   
   
6. User education. Inform employees about "remember me" attacks and encourage employees to regularly clear cookies from their internet browsers.
   
   Further, tell employees that they should only visit sites with a secure connection (HTTPS), to protect the data from interception during transmission.

The FBI notes that anyone who has experienced a “remember me” cookie account takeover or who has fallen prey to similar scams can report the incident to the Internet Complaint Center at www.ic3.gov.