Since late 2019, hackers have taken to hijacking channels of Youtube creators, luring them with bogus collaboration opportunities and eventually using their accounts to broadcast cryptocurrency scams or sell the accounts to the highest bidder.
A new report by Google’s Threat Analysis Group (TAG) has stated that it disrupted financially motivated phishing campaigns targeting the video platform with cookie theft malware. This attacks have been attributed to a group of hackers recruited in a Russian-speaking forum.
Cookie Theft, also known as ‘pass-the-cookie attack,’ is a session hijacking technique that enables access to user accounts with session cookies stored in the browser. This has been noted to be on the rise as a wider adoption of multi-factor authentication (MFA) thus making it difficult to conduct abuse and shifting attacker focus to social engineering tactics.
Since early May, 1.6 million messages have been blocked by google and a restoration of nearly 4,000 Youtube influencer accounts have been done so far.
Apart from sales of channels with large amount of subscribers, some channels were rebranded for cryptocurrency scams in which the adversary live-streamed videos promising cryptocurrency giveaways in return for an initial contribution.
The mode of attacking involved sending channel owners malicious links disguised as video advertisement collaborations for anti-virus software, VPN clients, music players, photo editing apps. When clicked, the recipient is redirected to a malware landing site, some of which impersonated legitimate software sites, such as Luminar and Cisco VPN or media outlets focused on COVID-19
15,000 accounts behind the phishing message has been found by Google as well as 1,011 domains that were purpose-built to deliver the fraudulent software responsible for executing cookie stealing malware designed to extract passwords and authentication cookies from the victim’s machine and upload to the actor’s command-and-control-server.
Following Google’s intervention, the perpetrators have been observed driving targets to apps like Whatsapp, Telegram and Discord all in an attempt to get around Gmail’s phishing protections. Users are highly recommended to secure their accounts with 2FA to prevent such takeover attacks.