Hackers steal browser cookies to hijack high-profile YouTube accounts, according to Google’s Threat Analysis Group (TAG). Since late 2019, hackers have been doing this to hack YouTube creators’ accounts by luring them with fake collaboration opportunities to broadcast cryptocurrency scams or sell the accounts to the highest bidder.
In a report, TAG said, “The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams.”
According to Google since May they have blocked 1.6 million messages and restored nearly 4,000 YouTube influencer accounts affected by the social engineering campaign.
While some of the hacked channels were up for sale from anywhere between $3 to $4,000 on account-trading markets depending on the subscriber count.
Ashley Shen, from TAG, said, “Cookie Theft, also known as ‘pass-the-cookie attack,’ is a session hijacking technique that enables access to user accounts with session cookies stored in the browser. While the technique has been around for decades, its resurgence as a top security risk could be due to wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics.”
Many YouTube channels were also rebranded for cryptocurrency scams, which the bad actors used to live stream videos promising cryptocurrency giveaways in return for an initial contribution. They did this after altering the channel’s name, profile picture, and content to spoof large tech or cryptocurrency exchange firms.
Hackers lured victims by sending a malicious link under the ruse of video advertisement collaborations for anti-virus software, VPN clients, music players, photo editing apps, or online games. The victims were redirected to a malware landing site on clicking. This site would impersonate legitimate software sites, such as Luminar and Cisco VPN, or masqueraded as media outlets focused on COVID-19.
Google discovered nearly 15,000 accounts behind the phishing messages and 1,011 domains purpose-built to deliver the fraudulent software responsible for executing cookie stealing malware. They were all designed to extract passwords and authentication cookies from the victim’s machine and upload them to the actor’s command-and-control servers.
This enabled hackers to use the session cookies to take control of a YouTube creators channel accounts, bypassing the two-factor authentication (2FA), steps to change passwords, and the account’s recovery email and phone numbers.
The hackers were also monitoring driving targets to messaging apps like WhatsApp, Telegram, and Discord. This enabled them to get around Gmail’s phishing protection, as well as other email providers like aol.com, email.cz, seznam.cz, and post.cz. We would highly recommend all users secure your account with two-factor authentication to prevent such takeover attacks.