An ongoing phishing campaign targeting YouTubers has been disclosed by Google’s Threat Analysis Group. A campaign being run by hackers recruited in Russian-speaking forums uses “fake collaboration opportunities” to solicit YouTubers and then hijacks their channels using “pass-the-cookie attacks,” with the intention of selling off the channels or broadcasting cryptocurrency scams.
The attacks begin with a phishing email offering a promotional collaboration. Once the deal is agreed, the YouTuber is sent a link to a malware page disguised to look like a download URL. This is where the real action begins: When the target runs the software, it pulls cookies from their PCs and uploads them to “command and control servers” operated by the hackers.
Having those cookies, as Google explains, “enables access to user accounts with session cookies stored in the browser.” The cookies make remote sites think that the YouTuber is already logged in, which means hackers do not need to worry about stealing their login credentials.
“Cookie theft” is actually an old digital hijacking technique that’s enjoying a resurgence among unscrupulous actors, possibly because of the widespread adoption of security precautions that have made newer hacking techniques more difficult to pull off. Two-factor authentication, for instance, is a common security feature on major websites these days, but is ineffective against cookie theft. (You should still definitely be using it wherever possible, though.)
“Additional security mechanisms like two-factor authentication can present considerable obstacles to attackers,” University of Illinois Chicago computer scientist Jason Polakis told Ars Technica. “That renders browser cookies an extremely valuable resource for them, as they can avoid the additional security checks and defenses that are triggered during the login process.”
The large majority of these channels are hijacked by impersonating large technology companies or cryptocurrency exchanges and then advertising cryptocurrency giveaways in return for an upfront payment. Those that are sold off on account-trading markets fetch from $3 to $4000, depending on the number of subscribers they have.
Google said it’s reduced the amount of phishing emails related to these attacks by 99.6% since May 2021, and has blocked roughly 1.6 million emails and 2,400 files sent to targets. As a result, attackers are starting to move to non-Gmail providers, “mostly email.cz, seznam.cz, post.cz and aol.com.” But the big challenge in cybersecurity, as always, is the human factor. Phishing emails are deceptive (I have fallen for at least one myself and I am aware of this stuff), and once they begin, stopping them is almost impossible.
The promise of “something for nothing” has great allure too: The big Twitter hack that occurred in 2020 (which actually began with a “phone spear phishing attack”) siphoned more than $100,000 from victims in a single day, simply by promising to double their Bitcoin contributions as a way of “giving back to the community.”
