A group of hackers recruited on a Russian-speaking forum has been running a large phishing campaign against YouTube Creators since late 2019, Google’s Threat Analysis Group (TAG) revealed in a recent blog post.
The perpetrators, seeking cash, have created over 15,000 fake accounts and 1,011 domains specifically for this operation. They send forged business emails impersonating a legitimate company and lure targets with fake collaboration opportunities that require the victim to test a fake VPN, an online game, a COVID-19 news platform, or even bogus anti-virus software.
If the target agrees to the business opportunity, they receive a fake software download URL that redirects them to a malware-laden landing page. The malware then executes, transferring both cookies and passwords from the victim to the attacker’s servers.
“While cookie theft, also known as a ’pass-the-cookie,’ is a type of attack that has been around for decades, its resurgence as a top security risk could be due to wider adoption of multi-factor authentication (MFA),” said Ashley Shen from TAG. “This compels attackers to shift their focus to social engineering tactics”
After they’re hacked, channels are rebranded for cryptocurrency scam live streams, asking for crypto donations, or sold on the dark web at prices ranging from $3 USD to $4,000 USD, depending on the subscriber base.
YouTube creators in the auto-tuning and car review community were among the first victims, as ZDnet reported in September 2019. Several high-profile influencers reported at the time that their accounts were stolen. An unsettling detail was that, at least in some cases, the attackers managed to bypass SMS-based 2FA.
While Google has pledged to do everything it can to block similar attacks, creators can take some precautions of their own.
- Treat every business opportunity with caution — if it’s too good to be true, it probably is
- Double-check whether the person or company you’re talking to really exists
- Use an antivirus solution to scan any downloaded files and software, and be extra careful with archives
- Double-check to see if the page you’re logging on to is the real thing
- Protect your accounts with multi-factor authentication (MFA), even if sometimes hackers use complex tools to bypass 2FA, using a hardware key or an authenticator app dramatically improves your chances of rejecting an attack