Cookie theft malware for Phishing campaigns targets YouTube content creators

YouTube Malware Attack with Cookie Theft

According to the new report published by Google’s Threat Analysis Group, YouTube channels are being hijacked by a group known as Hackers-for-Hire.

The group is popular for luring YouTube creators into fake partnership opportunities to broadcast cryptocurrency scams or selling their accounts to the highest bidder, thereby making false promises.

Google’s TAG claimed to have disrupted phishing campaigns with cookie theft malware. The hacker group is linked to a group of hackers in a Russian forum.

Cookie Theft, also known as ‘pass-the-cookie attack,’ is a session hijacking technique that enables access to user accounts with session cookies stored in the browser,” TAG’s Ashley Shen said. “While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics.

What Google has done

  • Blocked over 1.6 million messages.
  • Restored nearly 4,000 YouTube accounts affected by the malware attacks.

How was it all working?

The hacker group was crafting various techniques to promote the cryptocurrency scams. Among these were – rebranding the hijacked YouTube accounts, live-streaming videos of Bitcoin giveaways for a small contribution and altering the channel’s name and profile picture to spoof large tech enterprises and cryptocurrency exchange platforms. The hijacked accounts were also being traded on the secret account-trading marketplace from $3 to upwards of $3,000 depending on the subscriber count.

Nearly 15,000 hijacked accounts and 1,011 domains that were purposefully built to deliver fraudulent cookie-stealing malware and extract passwords were recognized and terminated by Google.

The hacker group is now targeting messaging platforms like WhatsApp and Telegram.