Google: YouTubers’ accounts hijacked with cookie-stealing malware

Google says YouTube creators have been targeted with password-stealing malware in phishing attacks coordinated by financially motivated threat actors.

Researchers with Google's Threat Analysis Group (TAG), who first spotted the campaign in late 2019, found that multiple hack-for-hire actors recruited via job ads on Russian-speaking forums were behind these attacks.

The threat actors used social engineering (via fake software landing pages and social media accounts) and phishing emails to infect YouTube creators with information-stealing malware, chosen based on each attacker's preference.

Channels hijacked in pass-the-cookie attacks

Malware observed in the attacks includes commodity strains like RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad, and Kantal, as well as open-source ones like AdamantiumThief and leaked tools such as Sorano.

Once delivered on the targets' systems, the malware was used to steal their credentials and browser cookies which allowed the attackers to hijack the victims' accounts in pass-the-cookie attacks.

"While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics," said Ashley Shen, a TAG Security Engineer.

"Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking."

Google identified at least 1,011 domains linked to these attacks and roughly 15,000 actor accounts specifically created for this campaign and used to deliver phishing emails containing links redirecting to malware landing pages to YouTube creators' business emails. 

Sold for up to $4,000 on underground markets

A significant number of YouTube channels hijacked in these attacks were later rebranded to impersonate high-profile tech executives or cryptocurrency exchange firms and used for live streaming cryptocurrency scams.

Others were sold on underground account-trading markets, where they're worth anything between $3 to $4,000, depending on their total number of subscribers.

Shen added that Google's Threat Analysis Group cut down phishing emails linked to these attacks on Gmail by 99.6% since May 2021.

"We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts," Shen said.

"With increased detection efforts, we've observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com)."

Google also reported this malicious activity to the FBI for further investigation to protect YouTube users and creators targeted in the campaign.