Google squashes phishing campaign targeting YouTubers

Hook on Keyboard
(Image credit: wk1003mike / Shutterstock)

YouTube content creators have been subjected to financially motivated phishing campaigns since late 2019, according to Google’s cybersecurity researchers.

The search giant’s Threat Analysis Group (TAG) has shared details about such thwarted campaigns that are orchestrated using Cookie Theft malware.

“In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group and Safe Browsing teams, our protections have decreased the volume of related phishing emails on Gmail by 99.6% since May 2021,” shares TAG researcher Ashley Shen in a blog post.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=LFFFsT0HpgsyUe0tTFumBJohXK8Sedt0ARpsCF4DRGR+oCoVbvd+2+d8+UNIIx4L" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

TAG attributes the campaigns to threat actors recruited through a Russian-speaking underground forum. 

Smash and grab

Shen says that the hackers lure their target with fake collaboration opportunities, before using the infected software to hijack their channel, which they either then sell to the highest bidder (for upto $4000), or use it to broadcast cryptocurrency scams.

The Cookie Theft technique employed by the attackers enabled them to hijack the victim’s user accounts through the session cookies stored in their web browsers

"While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics," shares Shen.

Interestingly Shen says the malware used in the campaign was run in non-persistent to ensure that it doesn’t linger on a compromised system, long enough to attract the attention of security products. 

Migrated elsewhere

Commenting on the size of the campaigns, Shem says that TAG identified over 1000 domains along with about 15000 user accounts that were created solely for the purpose of orchestrating the scam.

The email accounts were used to deliver phishing emails containing links redirecting to malware landing pages to YouTube creators' business emails. TAG helped block about 1.6 million messages, and even successfully restored access to about 4000 accounts.

“With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com),” concludes Shen, hinting that the campaign has only switched email providers and is perhaps still active. 

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.