Since at least late 2019, a network of hackers-for-hire have been hijacking the channels of YouTube creators, luring them with bogus collaboration opportunities to broadcast cryptocurrency scams or provide the accounts to the highest bidder.
That is according to a new report posted by Google’s Threat Assessment Group (TAG), which said it disrupted fiscally inspired phishing campaigns focusing on the video platform with cookie theft malware. The actors driving the infiltration have been attributed to a team of hackers recruited in a Russian-speaking forum.
“Cookie Theft, also recognised as ‘pass-the-cookie attack,’ is a session hijacking strategy that enables access to user accounts with session cookies saved in the browser,” TAG’s Ashley Shen explained. “Even though the technique has been all around for many years, its resurgence as a top rated security risk could be owing to a broader adoption of multi-issue authentication (MFA) building it complicated to carry out abuse, and shifting attacker concentration to social engineering practices.”
Considering the fact that Might, the internet giant noted it has blocked 1.6 million messages and restored just about 4,000 YouTube influencer accounts influenced by the social engineering marketing campaign, with some of the hijacked channels promoting for everywhere concerning $3 to $4,000 on account-buying and selling markets dependent on the subscriber rely.
Bogus mistake window
Other channels, in contrast, were rebranded for cryptocurrency scams in which the adversary reside-streamed videos promising cryptocurrency giveaways in return for an initial contribution, but not just before altering the channel’s identify, profile photo, and material to spoof substantial tech or cryptocurrency exchange firms.
The attacks concerned sending channel proprietors a malicious backlink less than the ruse of online video ad collaborations for anti-virus software, VPN customers, songs players, picture editing apps, or online game titles that, when clicked, redirected the recipient to a malware landing web-site, some of which impersonated legitimate computer software web sites, these kinds of as Luminar and Cisco VPN, or masqueraded as media shops concentrated on COVID-19.
Google stated it observed no less than 15,000 accounts guiding the phishing messages and 1,011 domains that had been function-crafted to supply the fraudulent software program liable for executing cookie thieving malware created to extract passwords and authentication cookies from the victim’s device and add them to the actor’s command-and-command servers.
The hackers would then use the session cookies to just take manage of a YouTube creator’s account, properly circumventing two-factor authentication (2FA), as effectively as just take actions to alter passwords and the account’s recovery email and phone figures.
Following Google’s intervention, the perpetrators have been observed driving targets to messaging applications like WhatsApp, Telegram, and Discord in an try to get around Gmail’s phishing protections, not to mention transitioning to other email companies like aol.com, email.cz, seznam.cz, and article.cz. Consumers are extremely recommended to secure their accounts with two-element authentication to avert these takeover attacks.
Located this article interesting? Observe THN on Facebook, Twitter and LinkedIn to browse additional special information we article.
Some parts of this article are sourced from:
thehackernews.com