Freelance phishers-for-hire are targeting YouTube content providers, hoping to trick victims into downloading cookie-stealing malware so they can to hijack their channels for the purpose of publishing scam content.
Google been disrupting these kind of campaigns since as far back as 2019, according to a new blog post report from the tech and search giant’s Threat Analysis Group (TAG), which notes that there has been a recent resurgence in such activity.
The campaign essentially serves as a double dose of social engineering, experts report. YouTube creators are lured in by the promise of content, revenue and free/promotional products, while viewers of the hijacked channels are potentially defrauded into watching video and livestreams designed to sell cryptocurrency services or other scammer-controlled products.
“These social media and influencer accounts can be very valuable to cybercriminals, as they can be used to abuse the trust followers have to improve the effectiveness of scams or to spread malware,” said Erich Kron, security awareness advocate at KnowBe4. “When a person receives an email or other notification from a trusted content creator, it is far easier to convince them to click on links, make fraudulent purchases or to give up sensitive information about themselves. This is especially true when social media or content creator accounts carry a verified or similar status from the platform.”
Google TAG has attributed the campaign to a group of hackers who have been recruited over a Russian-speaking forum to contact YouTube creators — who often publicize their emails for business opportunities — and tempt them with fake collaborations where they can supposedly broadcast demos of anti-virus software, VPNs, music players, photo editing software, online games and other services.
The malicious hackers send the content creators a link to a URL that appears to be a software download website or social media page, but in reality is a malware landing page that’s designed to look as if it belongs to a legitimate brand. “Around 15,000 actor accounts were identified, most of which were created for this campaign specifically,” said the report, authored by Ashley Shen, analyst at Google TAG. “To date, we’ve identified at least 1,011 domains created solely for this purpose. Some of the websites impersonated legitimate software sites, such as Luminar, Cisco VPN, games on Steam, and some were generated using online templates.”
“This particular campaign appears to heavily leverage desire for financial gain/monetary opportunity and incorporates a number of details to appear legitimate — the fake social media pages copied from existing companies, for example,” said Sherrod DeGrippo, vice president of threat research at Proofpoint. “They also appear to be sending benign emails to initiate a conversation with the potential victim. This method of social engineering can build rapport with a potential victim and put them at ease before the attacker sends a malicious link or payload.”
The malware steals cookies and sometimes passwords from the user’s browser, allowing the perpetrators to session-hijack his or her YouTube channel, and then either auction it off or rebrand the page and use it to market impersonated or fraudulent cryptocurrency services (or other scams). Google TAG theorized that the recent uptick in the pass-the-cookie technique could be the result of a “wider adoption of multi-factor authentication (MFA), making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics.”
Examples of commodity or open-source cookie-stealing malware, according to Google, include RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad, Kantal, Sorano and AdamantiumThief. The blog post also noted that hijacked channels’ sales prices ranged anywhere from $3 to $4,000, depending on how many people have subscribed.
Google, which owns YouTube, said that recent improvements designed to protect users against threats like this include better heuristic rules, Safe Browsing, hardened authentication workflows, and hardened channel transfer workflows, which have detected and auto-recovered more than 99% of hijacked channels.