Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label YouTube Account Hijack. Show all posts

Attackers Use Cookie Theft Malware to Hijack YouTube Accounts

 

Google claims it has disrupted a new phishing campaign targeting YouTube creators with cookie theft malware in which attackers were attempting to hijack YouTube accounts and exploit them to promote cryptocurrency frauds. 

The actors behind this campaign were recruited on a Russian-speaking forum that targeted thousands of YouTubers with malicious emails. The attackers tempted victims via fake collaboration opportunities such as providing free VPN, music player, or anti-virus software. 

After winning the confidence of a victim, the hackers would send a URL, either via email or a PDF on Google Drive, promising legal software but which instead took the target to a malicious page. Once installed, the malware steals cookies from the targets search engine via the smash-and-grab technique.

The scammers then use the cookies to gain access to the victim’s account and sold it in the dark web to the highest bidders. The cookies were sold between the range of $3 and $4,000, depending on the number of subscribers. 

Since the start of the campaign in 2019, threat actors created roughly 15,000 accounts, as well as domains associated with fake companies, alongside more than 1,000 websites that were used to deliver malware. Some of the websites posed legitimate software sites, such as Luminar, Cisco VPN, games on Steam, and some were designed using online templates. The malware used in this phishing campaign included Azorult, Grand Stealer, Kantal, Masad, Nexus stealer, Predator the Thief, RedLine, Raccoon, Vikro Stealer, and Vidar, alongside open-source tools such as Sorano and AdamantiumThief. The malware could steal both passwords and cookies. 

In collaboration with YouTube, Gmail, Trust & Safety, and Safe Browsing teams, Google decreased the volume of malicious emails by 99.6% on Gmail. Since May 2021, the company has blocked 1.6 million messages the scammers sent to their victims. The Internet search giant also displayed roughly 62,000 Safe Browsing warnings for the identified phishing pages, blocked 2,400 files, and restored roughly 4,000 impacted accounts. 

“With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com). Moreover, to protect our users, we have referred the below activity to the FBI for further investigation,” Google explained.