Google confirmed a phishing scam that uses cookie theft malware to hijack YouTube channels. Ashley Shen from Google’s Threat Analysis Group shared a blog post about the phishing campaign collaborating with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group, and Safe Browsing teams. Google stated that the campaign is related to a group of hackers recruited in a Russian forum.
Pass-the-cookie attack
The attack starts with an email that offers collaboration with the YouTube channel owner. The customized emails include information about the company and products and lead to malware disguised as a software download URL. Google managed to identify more than 1,000 domains created for this purpose only, some of them impersonating legitimate software sites, like Luminar, Cisco VPN, games on Steam. After Google started detecting and disrupting the links via Gmail, the hackers switched to popular messaging apps, such as WhatsApp, Telegram, or Discord.
After the targets run the fake software, a cookie stealing malware executes and takes browser cookies. These cookies are uploaded to the actor’s command and control servers. Most of this malware is able to steal user passwords and cookies. The hijacked channels are either sold to the highest bidder or used to broadcast cryptocurrency scams. The price for the channels ranged from $3 to $4,000, depending on subscribers.
How to avoid such attacks
Most of the hijacked channels’ names, profile pictures, and contents were replaced with cryptocurrency branding to impersonate related organizations. Hackers then promise cryptocurrency giveaways with live-streamed videos. Google team also shared their recommendation to avoid such attacks:
- Take Safe Browsing warnings seriously. To avoid malware triggering antivirus detections, threat actors social engineer users into turning off or ignoring warnings.
- Before running software, perform virus scanning using an antivirus or online virus scanning tool like VirusTotal to verify file legitimacy.
- Enable the “Enhanced Safe Browsing Protection” mode in your Chrome browser, a feature that increases warnings on potentially suspicious web pages & files.
- Be aware of encrypted archives which are often bypassing antivirus detection scans, increasing the risk of running malicious files.
- Protect your account with 2-Step-verification (multi-factor authentication), which provides an extra layer of security to your account in case your password is stolen. Starting November 1, monetizing YouTube creators must turn on 2-Step Verification on the Google Account used for their YouTube channel to access YouTube Studio or YouTube Studio Content Manager.