In what seems like a page taken straight out of the popular sitcom “The IT Crowd,” Google’s latest advice to Gmail users facing a new kind of hack attack in 2024 harks back to the show’s iconic troubleshooting line: “Have you tried turning it off and on again?” This seemingly simple tactic is Google’s response to a recent wave of attacks targeting Google accounts, which are resistant to password changes.
Persistent Threat: Attackers Accessing Google Accounts Repeatedly
A detailed report by CloudSEK researcher Pavan Karthick M, released on December 29, uncovers how attackers are exploiting a lesser-known authentication endpoint. This vulnerability is particularly concerning because it allows attackers to hijack session cookies, granting them access to Google accounts, including the coveted Gmail inboxes, without needing the user’s credentials.
This exploit first came to light on October 20, in a Russian-language Telegram channel. By November 14, it was noted as a part of the toolkit used by the notorious Lumia criminal group. This exploit rapidly gained popularity among other malicious actors. As recent as December 27, there have been instances of this exploit being demonstrated on the dark web, targeting session cookies of Google accounts.
Password Changes Ineffective Against the Attack
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
From a security standpoint, this attack may not seem groundbreaking. Session cookie hijacks are, after all, not a new concept. However, what sets this attack apart is its ability to breathe life into expired session cookies. As per CloudSEK’s analysis, these cookies can be rejuvenated, allowing attackers continued access to Google services, even after the user changes their password.
Google’s Standpoint: Off and On As a Solution
In response to these alarming revelations, a Google spokesperson acknowledged the issue of malware that steals session tokens. While emphasizing that such attacks are not novel, Google reassured that it continuously enhances its defenses against such tactics. The company has taken measures to secure accounts identified as compromised. Contrary to some reports, Google clarifies that stolen sessions can be invalidated. This can be achieved by signing out of the affected browser or remotely revoking access via the user’s device page. Google also suggests enabling Enhanced Safe Browsing in Chrome for added protection.
CloudSEK’s analysis further elaborates on the off and on strategy. If there’s a suspicion of a compromised account or as a preventive measure, users should sign out of all browser profiles to invalidate the current session tokens. Following this, resetting the password and signing back in is recommended to generate new tokens. This step is crucial as it disrupts the unauthorized access, breaking the chain of the exploit.
In an age where cyber threats are becoming more sophisticated, it’s somewhat ironic yet reassuring to see that sometimes, the simplest solutions, like the classic off and on trick, can still be effective in safeguarding our digital lives.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
