The search giant’s Threat Analysis Group (TAG) has shared details about such thwarted campaigns that are orchestrated using Cookie Theft malware.
“In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group and Safe Browsing teams, our protections have decreased the volume of related phishing emails on Gmail by 99.6% since May 2021,” shares TAG researcher Ashley Shen in a blog post.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- Here's our choice of the best malware removal software
- Take a look at these best password managers
- We’ve also rounded up the best security keys
TAG attributes the campaigns to threat actors recruited through a Russian-speaking underground forum.
Smash and grab
Shen says that the hackers lure their target with fake collaboration opportunities, before using the infected software to hijack their channel, which they either then sell to the highest bidder (for upto $4000), or use it to broadcast cryptocurrency scams.
The Cookie Theft technique employed by the attackers enabled them to hijack the victim’s user accounts through the session cookies stored in their web browsers.
"While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics," shares Shen.
Interestingly Shen says the malware used in the campaign was run in non-persistent to ensure that it doesn’t linger on a compromised system, long enough to attract the attention of security products.
Commenting on the size of the campaigns, Shem says that TAG identified over 1000 domains along with about 15000 user accounts that were created solely for the purpose of orchestrating the scam.
The email accounts were used to deliver phishing emails containing links redirecting to malware landing pages to YouTube creators' business emails. TAG helped block about 1.6 million messages, and even successfully restored access to about 4000 accounts.
“With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com),” concludes Shen, hinting that the campaign has only switched email providers and is perhaps still active.
- Shield yourself with these best identity theft protection services