Since at least late 2019, a network of hackers-for-hire have
been hijacking the channels of YouTube creators, luring them with
bogus collaboration opportunities to broadcast cryptocurrency scams
or sell the accounts to the highest bidder.
That’s according to a new report published by Google’s Threat
Analysis Group (TAG), which said it disrupted financially motivated
phishing campaigns targeting the video platform with cookie theft
malware. The actors behind the infiltration have been attributed to
a group of hackers recruited in a Russian-speaking forum.
“Cookie Theft, also known as ‘pass-the-cookie attack,’ is a
session hijacking technique that enables access to user accounts
with session cookies stored in the browser,” TAG’s Ashley Shen
said[1]. “While the technique
has been around for decades, its resurgence as a top security risk
could be due to a wider adoption of multi-factor authentication
(MFA) making it difficult to conduct abuse, and shifting attacker
focus to social engineering tactics.”
Since May, the internet giant noted it has blocked 1.6 million
messages and restored nearly 4,000 YouTube influencer accounts
affected by the social engineering campaign, with some of the
hijacked channels selling for anywhere between $3 to $4,000 on
account-trading markets depending on the subscriber count.
 |
| Fake error window |
Other channels, in contrast, were rebranded for cryptocurrency
scams in which the adversary live-streamed videos promising
cryptocurrency giveaways in return for an initial contribution, but
not before altering the channel’s name, profile picture, and
content to spoof large tech or cryptocurrency exchange firms.
The attacks involved sending channel owners a malicious link
under the ruse of video advertisement collaborations for anti-virus
software, VPN clients, music players, photo editing apps, or online
games that, when clicked, redirected the recipient to a malware
landing site, some of which impersonated legitimate software sites,
such as Luminar and Cisco VPN, or masqueraded as media outlets
focused on COVID-19.
Google said it found no fewer than 15,000 accounts behind the
phishing messages and 1,011 domains that were purpose-built to
deliver the fraudulent software responsible for executing cookie
stealing malware designed to extract passwords and authentication
cookies from the victim’s machine and upload them to the actor’s
command-and-control servers.
The hackers would then use the session cookies to take control
of a YouTube creator’s account, effectively circumventing
two-factor authentication (2FA), as well as take steps to change
passwords and the account’s recovery email and phone numbers.
Following Google’s intervention, the perpetrators have been
observed driving targets to messaging apps like WhatsApp, Telegram,
and Discord in an attempt to get around Gmail’s phishing
protections, not to mention transitioning to other email providers
like aol.com, email.cz, seznam.cz, and post.cz. Users are highly
recommended to secure their accounts with two-factor authentication
to prevent such takeover attacks.