Over the past couple of years, a network of hackers-for-hire has been hijacking the YouTube channels of creators, luring them with collaboration opportunities. The stolen accounts were later used for fraudulent activities.
According to Threat Analysis Group (TAG), Google’s security division, it detected and disrupted various phishing campaigns that were targeting the video platform. The attackers were mainly composed of hackers hired on a Russian-speaking forum and used cookie theft malware.
“Cookie Theft, also known as ‘pass-the-cookie attack,’ is a session hijacking technique that enables access to user accounts with session cookies stored in the browser,” TAG’s Ashley Shen said. “While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multifactor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics.”
Since May, Google blocked over 1.6 million messages and restored almost 4,000 accounts following an investigation into the social engineering campaign that targeted influencers. The campaign sold stolen accounts for anywhere between $3 to $4,000.
Other channels were rebranded as cryptocurrency scams, in which they live-streamed videos claiming to offer cryptocurrency giveaways in exchange for an initial contribution.
The attacks involved sending video advertisement collaborations for anti-virus software, VPN clients, music players, photo editing apps, etc. that tricked victims into visiting a malicious landing page.
Google said it discovered over 15,000 accounts and 1,011 domains that were used to send phishing messages and deliver the fraudulent software that enables cookie stealing and uploading them to the attacker’s command-and-control servers.
The attackers would then set up a fake session cookie to take over the account of the YouTube creator, which would allow them to circumvent two-factor authentication (2FA) and then modify the account’s settings and gain access to it.
Following Google’s intervention, the attackers have been observed directing victims to messaging apps like WhatsApp and Discord and other email providers like aol.com, email.cz, seznam.cz, and post.cz in order to bypass Gmail’s phishing protections.
Enabling two-factor authentication can help prevent such takeover attacks.