Update, Oct. 09, 2024: This story, originally published Oct. 07, includes new advice about how attackers bypass 2FA protections and how best to mitigate these dangers before a hacker can exploit your Gmail or Microsoft 365 account.
Search any of the Gmail support forums online, from social media platforms such as the Gmail subreddit or the official Gmail community help from Google itself, and one question comes up time and time again: my Gmail account has been hacked, how can I recover it?
Disregarding the inevitable dodgy attempts at uncovering some magic way to hack into someone else’s account, the majority are still likely to be genuine requests for help. Take this example, published to the Gmail subreddit Oct. 06, which is analogous to many: “A friend of mine’s Google account got stolen. The hacker changed the recovery phone number and email address.” The poster explains that the friend in question had enabled two-factor authentication and asks if anything can be done to recover the account now, “or is he cooked?”
The good news is that it’s still entirely possible to recover a Google account even if, as in this case, the hacker has managed to evade or change most, if not all, the security and recovery protections that were in place. Even if, as the poster replied to one suggested solution, “whoever stole the account changed the recovery email and phone number to their own and disabled all other recovery methods.”
How To Recover A Stolen Gmail Account After A Hacker Changes Everything
Google does, despite the negative opinions of many people seemingly frustrated by the process, offer lots of help in recovering your Google account, even in the case of it being stolen by someone who has then changed your recovery details. Indeed, there’s a whole section of Google support devoted to securing a “hacked or compromised” account. I suspect that most people who say these steps don’t work haven’t followed the instructions provided by Google precisely and waited the allotted time for the process to complete.
It is advised to use a device that you have used before to access your Google account or check your Gmail or another Google service. The same tip applies to a familiar location from where you have previously accessed your Google account. Google recommends using the same browser, such as Chrome or Safari, on a laptop or tablet if your smartphone has been stolen and doing so from your home or work location. This can speed up the recovery process by aiding Google in verifying your identity.
You should also answer the questions about passwords as precisely as possible. This applies even if the hacker has changed your current password to lock you out of your account. “If you’re asked for the last password you remember,” Google said, “enter the most recent one you recall.” The more recent, the better, so use the one the hackers changed from. “If you can’t confidently recall any previous passwords: Take your best guess,” Google said.
You may see a message telling you your account is on a security hold. A delay is often put in place between making the recovery request and processing that recovery claim. While some people get annoyed by this, it’s a proactive measure so you should be patient. “Account recovery requests can be delayed for a few hours or a number of days,” Google said, “depending on a variety of risk factors.”
Google has also advised me that when it comes to users whose accounts have already been hacked and whose second-factor and recovery factors have changed, it’s possible to use the original information in certain cases. “Our automated account recovery process allows a user to use their original recovery factors for up to 7 days after it changes,” the spokesperson said, “provided they set them up before the incident.”
And finally, if all else fails and the account holder has a YouTube account up and running, many users have found that contacting YouTube support, including the by way of social media, has often resulted in them being given direct help to recover the account where all has appeared lost.
Here’s How Hackers Bypass Gmail 2FA Protections In The First Place
One of the problems highlighted by Gmail users seeking support in online forums is that the two-factor authentication protections that they have in place have been changed by the person who has hacked their Google account. This raises several questions, but perhaps the most pertinent is how that 2FA process was bypassed in the first place.
I recently reported that the developers of notorious info-stealer malware, including Lumar, Lumma, Meduza, Rhadamanthys, StealC, Vidar and Whitesnake, have all been releasing updates that claim to have bypassed Google’s cookie-stealing protections. Some stated that they could crack account 2FA in less than 10 minutes. This is despite Google having upgraded the protections found in Chrome 127 to include application-bound encryption, which, similarly to macOS and Keychain, encrypts data tied to app identity, introduced to combat just this kind of attack.
This theft of cookies from your browser, specifically session cookies, enables hackers to bypass your 2FA protections effectively. Owning a cookie that validates a user session after the 2FA step has already been completed gives the attacker complete control over that session—complete control to go and change your Gmail recovery options, 2FA, the lot. So, what can you do to mitigate this type of attack?
How Google Mitigates The Session-Cookie Infostealer Threat
A Google spokesperson said: “This type of attack is well known and we have built-in defenses, such as high frequency cookie rotation, device-bound session credentials, and risk-based re-authentication, that keep users safe. Additionally, the first line of defense against attacks like this is to use an operating system like ChromeOS that is secure by default, without known vulnerabilities for this type of malware.”
It is also wise to consider using passkeys, which Google is helping to drive the adoption of across online services, as these are “resistant to phishing and other online attacks,” Google said, “making them more secure than SMS, app-based one-time passwords and other forms of multi-factor authentication.”
It’s Not Just Google Users Who Are In The 2FA-Theft Crosshairs
I wouldn’t say it would be nice if only Gmail users were targeted by session-cookie attacks, although attacks against just one set of users might be easier to mitigate. The truth is that it’s not a pleasant experience whatever service you are using, and that includes, according to the latest threat intelligence reports, Microsoft 365.
A newly published report by security researchers at Sekoia has detailed yet another session-cookie stealing, two-factor authentication bypassing, adversary-in-the-middle threat. This one is called Mamba 2FA and deserves to be associated with the African snake whose bite is so often fatal, from what I have read.
Report author Grégoire Clermont describes how, in May 2024, Sekoia’s threat detection and research team were tipped off about a phishing campaign that appeared to be leveraging trust in Microsoft 365 with HTML attachments cloning M365 login pages. “The phishing pages were able to relay some methods of multi-factor authentication,” Clermont said, “at first, these characteristics looked like the Tycoon 2FA phishing-as-a-service platform, but further inspection found that the campaign leveraged a previously unknown adversary-in-the-middle phishing kit.”
That phishing kit is what has been given the Mamba 2FA designation.
By analyzing their own customer threat detection logs, Sekoia was able to determine that several had already been targeted by the Mamab 2FA campaign across many months, “suggesting a widespread threat.” And one that was, it turned out, being sold as a phishing-as-a-service package on cybercrime forums on the dark web. Sekoia has since discovered that both the phishing kit itself, and the necessary infrastructure that is needed to support it, have undergone several, and significant, changes.
As of October, the phishing kit will only display the Microsoft 365b login pages if it has determined that the browser in question does not have sufficient automated security protection, or the user isn’t running in any sort of sandbox. If they are, then Mamba 2FA is clever enough to redirect them to a Google 404 page instead.
If the user isn’t well protected, however, then Mamba 2FA will display one of four different credential-stealing options that imitate either Microsoft OneDrive, SharePoint Online, a generic Microsoft 365 login page or, perhaps surprisingly, a voice mail which then also displays a generic login. One thing is constant, and that is this is a threat that can steal session-cookies in order to bypass 2FA protections such as one-time codes or in-app notifications. “The stolen credentials and cookies are instantly sent to the attacker via a Telegram bot,” Clermont said.
Most worryingly of all, and evidence were any required as to why you should follow the mitigation advice already stated, is just how cheaply someone can enter the world of 2FA bypass. Using a subscription model, the Mamba 2FA service is available for use at just $250 for 30 days, a very low price when you consider the value of the data that could be accessed if an attacker is successful. That price includes access to a Telegram bot “that allows them to generate phishing links and HTML attachments on demand.”