Google says YouTube creators have been targeted with credentials hijacking malware in phishing attacks coordinated by financially motivated threat actors. Investigators with Google’s Threat Analysis Group (TAG), who initially spotted the operations in late 2019, discover that multiple hack-for-hire actors inducted through job ads on Russian-speaking forums were behind these adversaries.

The threat actors utilized social engineering (through fake software landing pages and social media accounts) and phishing emails to infect YouTube creators with data-hijacking malware, chosen based on each threat actor’s weakness.

Channels Seized in Pass-The-Cookie Attacks

Malware recognized in the attacks includes commodity strains like RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad, and Kantal, as well as open-source ones like AdamantiumThief and leaked tools such as Sorano.

Once delivered on the targets’ systems, the malware was used to steal their credentials and browser cookies which allowed the attackers to hijack the victims’ accounts in pass-the-cookie attacks.            

“While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics,” said Ashley Shen, a TAG Security Engineer.

“Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking.”

Google identified at least 1,011 domains linked to these attacks and roughly 15,000 actor accounts specifically created for this campaign and used to deliver phishing emails containing links redirecting to malware landing pages to YouTube creators’ business emails.

Traded For up to $4,000 on Underground Markets

A meaningful number of YouTube channels seized in these attacks were later rebranded to represent high-profile tech managers or cryptocurrency exchange firms and used for live streaming cryptocurrency scams.

Others were marketed on covered account-trading markets, where they are worth anything between $3 to $4,000, depending on their total number of subscribers. Shen added that Google’s Threat Analysis Group cut down phishing emails linked to these attacks on Gmail by 99.6% since May 2021.

“We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts,” Shen said.

“Including enhanced disclosure attempts, we have recognized attackers changing away from Gmail to another email providers mostly email.cz, seznam.cz, post.cz and aol.com.” Google also published this malicious activity to the FBI for further investigation to protect YouTube users and originators targeted in the operations.