The attackers behind the campaign, which distributes cookie theft malware, are attributed to actors recruited in a Russian-speaking forum.
Google's Threat Analysis Group (TAG) today disclosed the details of a financially motivated phishing campaign that has targeted YouTube creators with "cookie theft" malware, and which it has been disrupting, since 2019.
Cookie theft, which TAG also describes as a "pass-the-cookie" attack, is a session hijacking tactic that gives an attacker access to user accounts with session cookies stored in the browser. It's a technique that has been around for years, TAG says. Its resurgence may be linked to wider adoption of multifactor authentication prompting criminals to focus on social engineering.
The attackers are attributed to a group of actors recruited in a Russian-speaking forum, TAG wrote in a blog post. They usually lure targets with an email about an advertising collaboration opportunity; for example, a demo for antivirus software, VPN, music players, photo editing, or online games. Many YouTube creators put their email address on their channel, TAG noted.
When the victim agrees to a deal, the attackers send a malware landing page disguised as a software download URL via email or a PDF on Google Drive. Researchers report the attackers registered various domains associated with fake companies and built multiple websites to deliver malware. They've identified at least 1,011 domains created for this purpose so far.
Once the fake software is run, it executes a cookie-stealing malware, takes browser cookies from the victim's machine, and uploads them to the attackers' command-and-control servers. Most of the malware could steal both user passwords and cookies, researchers noted. Some used anti-sandboxing techniques such as enlarged files, encrypted archive, and IP cloaking.
Some hijacked accounts were sold on account-trading markets, where they went for $3 to $4,000 USD depending on the subscriber count. Many were rebranded for cryptocurrency scam livestreaming, in which the channel name, profile picture, and content were replaced with cryptocurrency branding to spoof large tech or cryptocurrency exchange firms. Attackers livestreamed videos promising cryptocurrency giveaways in exchange for an initial contribution.
Read more details here.
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024