Hackers-for-hire have been hijacking accounts of YouTube creators

Stealing browser cookies helped attackers to hijack accounts of YouTube stars since at least 2019

Cookie theft malware allowed hackers to hijack accounts of high-profile creators on YouTube.

Google's Threat Analyst Group reports the phishing campaign targeting YouTube creators with particular cookie theft techniques.^[1] Attackers have been hijacking creators' channels by luring them with fake collaboration, advertising offers involving common sources and products like VPNs, AV tools.^[2] Disinformation and phishing campaigns apparently involved government-backed financially motivated hackers who crated domains, social media accounts, and other content to fake the legitimacy of companies.

According to the new report^[3] from TAG, the phishing campaign using the cookie theft malware got disrupted. The network of hired hackers was formed from people recruited in Russian-speaking online forums. Ashley Sher, stated in the report:

Cookie Theft, also known as “pass-the-cookie attack,” is a session hijacking technique that enables access to user accounts with session cookies stored in the browser.

The technique is not new, but its wide adoption and usage can make it a top security risk. It is difficult to conduct the abuse due to the multi-factor authentication and the ability to shift the focus to social engineering and phishing tactics. Domains and social media accounts were created to fake that the networks' legitimacy. Hackers copied the content from official companies and changed URLs to their malicious ones where cookie theft malware was active.

Social engineering scamming techniques

The campaign resulted in the link being sent to the account owner. Video advertisement collaborations for common programs and software were the initial messages, so the interest in the constant would be peaking. Those campaigns involved products that online content creators common promote:

• VPN clients;
• anti-virus tools;
• music players;
• photo editing apps;
• online games.

Once such message and link included gets clicked, the redirect takes the recipient to the malware page that fakes the legitimate software provider site. Hackers even used the pandemic theme in their campaigns. Attackers pose as news providers with a particular reporting software, “News Covid-19”. These sites and services got used to lure targeted people.

Some of the websites impersonated legitimate software sites, such as Luminar, Cisco VPN, games on Steam, and some were generated using online templates.

At least a thousand such domains got detected. Those were specifically built for the fraud campaign that helps execute the cookie stealing malware that is the one extracting passwords and authentication cookies from machines. Then all the valuable data gets transferred to Command and Control servers held by attackers.

Obtained cookies provided the option to hijack accounts

AT leas 15 000 accounts were detected to send such phishing messages^[4] in the campaign. Hackers would use these obtained cookies to take over the YouTube creator profiles and even avoid issues with the two-factor authentication. From there, any steps can be made by the attacker: password, recovery email, phone number changing.

At least 1,6 million messages got blocked since May. During the time 4 000 YouTube influencer accounts got recovered too. Some of those accounts were listed for sale in account-trading markets. Depending on the particular subscriber amount, those were listed for $3- $4,000 per account.

Other accounts got rebranded for digital currency scams and videos promoting giveaways. Such channels used live streaming to catch people contributing to such campaigns by posing as large cryptocurrency exchange firms and tech companies.^[5] These investigations also show that other platforms and messaging apps like WhatsApp, Telegram, Discord have been targeted.