Google: Phishing Campaign Targets YouTube CreatorsGoogle: Phishing Campaign Targets YouTube Creators
The attackers behind the campaign, which distributes cookie theft malware, are attributed to actors recruited in a Russian-speaking forum.
October 20, 2021
Google's Threat Analysis Group (TAG) today disclosed the details of a financially motivated phishing campaign that has targeted YouTube creators with "cookie theft" malware, and which it has been disrupting, since 2019.
Cookie theft, which TAG also describes as a "pass-the-cookie" attack, is a session hijacking tactic that gives an attacker access to user accounts with session cookies stored in the browser. It's a technique that has been around for years, TAG says. Its resurgence may be linked to wider adoption of multifactor authentication prompting criminals to focus on social engineering.
The attackers are attributed to a group of actors recruited in a Russian-speaking forum, TAG wrote in a blog post. They usually lure targets with an email about an advertising collaboration opportunity; for example, a demo for antivirus software, VPN, music players, photo editing, or online games. Many YouTube creators put their email address on their channel, TAG noted.
When the victim agrees to a deal, the attackers send a malware landing page disguised as a software download URL via email or a PDF on Google Drive. Researchers report the attackers registered various domains associated with fake companies and built multiple websites to deliver malware. They've identified at least 1,011 domains created for this purpose so far.
Once the fake software is run, it executes a cookie-stealing malware, takes browser cookies from the victim's machine, and uploads them to the attackers' command-and-control servers. Most of the malware could steal both user passwords and cookies, researchers noted. Some used anti-sandboxing techniques such as enlarged files, encrypted archive, and IP cloaking.
Some hijacked accounts were sold on account-trading markets, where they went for $3 to $4,000 USD depending on the subscriber count. Many were rebranded for cryptocurrency scam livestreaming, in which the channel name, profile picture, and content were replaced with cryptocurrency branding to spoof large tech or cryptocurrency exchange firms. Attackers livestreamed videos promising cryptocurrency giveaways in exchange for an initial contribution.
Read more details here.
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
How Enterprises Are Managing Application Security Risks in a Heightened Threat Environment