The attackers behind the campaign, which distributes cookie theft malware, are attributed to actors recruited in a Russian-speaking forum.

Dark Reading Staff, Dark Reading

October 20, 2021

2 Min Read

Google's Threat Analysis Group (TAG) today disclosed the details of a financially motivated phishing campaign that has targeted YouTube creators with "cookie theft" malware, and which it has been disrupting, since 2019.

Cookie theft, which TAG also describes as a "pass-the-cookie" attack, is a session hijacking tactic that gives an attacker access to user accounts with session cookies stored in the browser. It's a technique that has been around for years, TAG says. Its resurgence may be linked to wider adoption of multifactor authentication prompting criminals to focus on social engineering.

The attackers are attributed to a group of actors recruited in a Russian-speaking forum, TAG wrote in a blog post. They usually lure targets with an email about an advertising collaboration opportunity; for example, a demo for antivirus software, VPN, music players, photo editing, or online games. Many YouTube creators put their email address on their channel, TAG noted.

When the victim agrees to a deal, the attackers send a malware landing page disguised as a software download URL via email or a PDF on Google Drive. Researchers report the attackers registered various domains associated with fake companies and built multiple websites to deliver malware. They've identified at least 1,011 domains created for this purpose so far.

Once the fake software is run, it executes a cookie-stealing malware, takes browser cookies from the victim's machine, and uploads them to the attackers' command-and-control servers. Most of the malware could steal both user passwords and cookies, researchers noted. Some used anti-sandboxing techniques such as enlarged files, encrypted archive, and IP cloaking.

Some hijacked accounts were sold on account-trading markets, where they went for $3 to $4,000 USD depending on the subscriber count. Many were rebranded for cryptocurrency scam livestreaming, in which the channel name, profile picture, and content were replaced with cryptocurrency branding to spoof large tech or cryptocurrency exchange firms. Attackers livestreamed videos promising cryptocurrency giveaways in exchange for an initial contribution.

Read more details here.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights