Man holding smart phone with YouTube logo on screen showing phishing of YouTube creators for cryptocurrency scams

Phishing Campaign Targets YouTube Creators With Cookie Stealing Malware To Hijack Accounts And Stream Cryptocurrency Scams

Google Threat Analysis Group (TAG) discovered an uptick in phishing scams targeting YouTube creators to steal their channels.

The campaign executed by affiliate phishers-for-hire tricks YouTube content creators into downloading malware that steals cookies and takes over channels.

They later misuse the YouTube channels to promote cryptocurrency scams or sell them for up to $4,000.

While these campaigns have been around since 2019, the search engine giant noted that they have recently escalated.

Phishing campaign promises YouTube creators revenue from promotions

According to Google’s blog post, the group of hackers targeting YouTubers were recruited by a Russian-speaking forum.

They are categorized into “light advertising” and “full-stack advertising,” earning 25% and 70% of hijacked YouTube channels, respectively. Google identified at least 15,000 accounts specifically created for phishing YouTube creators.

Many YouTube creators provide an email for businesses on their channels. The hackers embarked on the phishing campaign by sending spoofed emails impersonating existing businesses.

They started sending emails introducing their company and products before requesting collaboration on video advertising.

Shortly after, they promised YouTube creators of fake collaboration opportunities for promoting anti-virus software, photo editors, VPN software, music players, or online games.

Some also exploited the pandemic and posed as COVID-19 news apps. Some of the impersonated products include Luminar, Cisco VPN, and Steam games.

“Phishing attacks are one of the most common forms of cyberattacks leveraged by cybercriminals,” said Josh Rickard, Security Solutions Architect at Swimlane. “It has become all too easy for malevolent actors to create seemingly legitimate email campaigns to trick well-intended employees into providing access to the attacker-and they are highly effective, with 74% of attacks in the United States being successful.”

Hijacked YouTube accounts rebranded for streaming cryptocurrency scams

Depending on the number of subscribers and the channel status, the accounts were sold for between $3 to $4,000. The hackers rebranded the hijacked channels to live stream cryptocurrency scams.

“The channel name, profile picture, and content were all replaced with cryptocurrency branding to impersonate large tech or cryptocurrency exchange firms,” Google wrote. “The attacker live-streamed videos promising cryptocurrency giveaways in exchange for an initial contribution.”

Similar exploits have appeared elsewhere on the internet. In August 2020, hackers hijacked established Twitter accounts and rebranded them into “Elon Musk” or “Space X” and started offering fake cryptocurrency giveaways.

Verified channels are preferred because of the trust they command. It is much easier for people to buy into cryptocurrency scams when endorsed by their popular channels or individuals.

“These social media and influencer accounts can be very valuable to cybercriminals as they can be used to abuse the trust followers have to improve the effectiveness of scams or to spread malware,” said Erich Kron, security awareness advocate at KnowBe4. “When a person receives an email or other notification from a trusted content creator, it is far easier to convince them to click on links, make fraudulent purchases, or to give up sensitive information about themselves.”

“This is especially true when social media or content creator accounts carry a verified or similar status from the platform.”

Hackers deploy cookie-stealing malware to take over YouTube accounts

When they get the YouTube creators’ attention, they send a malware landing page disguised as a software download URL. Sometimes they also send phishing links through Google Drive or Google Docs.

Additionally, they registered phishing domains mirroring the impersonated companies and built malware delivery websites. Some of the websites are created using web templates and website builders.

The hackers also created fake social media pages and copied content from legitimate accounts. Google says that at least 1,011 domains were registered for phishing YouTube creators. However, the impersonated domains lead to malware downloads pages. They convinced the victims to install the malware that steals cookies or even passwords from the victim’s browser and sends them to the threat actor’s command and control server.

The malware employed various cloaking methods to avoid detection like IP cloaking, file encryption, enlarging files, and displaying fake error messages to trick the victims into clicking through to continue execution. They also avoided running the malware persistently and resorted to ‘smash and grab’ techniques to avoid detection by anti-viruses. Most commonly-deployed malware includes RedLine, Azorult, Vidar, Predator The Thief, Nexus stealer, Raccoon, AdamantiumThief, Grand Stealer, Vikro Stealer, Masad, Sorano, and Kantal.

The hackers also used the “pass-the-cookie attack” to compromise YouTube accounts and take control. Google says that although the method has been around for decades, it has recently skyrocketed because of the adoption of multi-factor authentication (MFA).

Google introduces security measures to prevent YouTube account theft

Google says it has automatically detected and recovered 99% of YouTube channels illegally transferred from their legitimate owners.

It also introduced additional heuristic rules on its platform to identify and block phishing and social engineering emails, prevent YouTube cookie theft, and stop crypto-scam live streams on hijacked accounts.

Since May 2021, Google detected 99.6% of Gmail phishing emails, blocking 1.6 million messages and 2,400 malicious attachments.

Due to Google’s crackdown efforts on Gmail, the attackers migrated to third-party apps like WhatsApp, Telegram, or Discord. Google researchers also suggest that the phishing campaign would migrate to non-Gmail accounts.

Additionally, Google improved Safe Browsing to identify and block malware landing pages used by hackers to distribute cookie-stealing malware. Google also strengthened channel transfer processes and authentication workflows to notify account owners of sensitive actions. Google will also require two-factor authentication for monetized accounts to prevent account takeover beginning on November 1, 2021.

“We can expect to see more of this class of attack,” said Josh Yavor, CISO at Tessian. “Organizations need to be mindful of how they protect not just initial authentication – through the use of multi-factor authentication and ideally FIDO based options that are resilient to phishing – but also the computers from which employees access applications.”