How hackers are hijacking YouTube accounts to run ads for cryptocurrency scams
Google’s Threat Analysis Group has shared details about a long-running phishing campaign targeting YouTubers. The campaign, apparently being carried out by hackers recruited in a Russian-speaking forum, uses “fake collaboration opportunities” to attract YouTubers, then hijacks their channel using a “pass-the-cookie attack,” with the goal of either selling it off or using it to broadcast—of course—cryptocurrency scams.
The attacks begin with a phishing email offering a promotional collaboration. Once the deal is agreed, the YouTuber is sent a link to a malware page disguised to look like a download URL. This is where the real action begins: When the target runs the software, it pulls cookies from their PCs and uploads them to “command and control servers” operated by the hackers.
Having those cookies, as Google explains, “enables access to user accounts with session cookies stored in the browser.” This means hackers don’t need to worry about stealing the YouTuber’s login credentials, because the cookies makes remote sites think they’re already logged in.
“Cookie theft” is actually an old digital hijacking technique that’s enjoying a resurgence among unscrupulous actors, possibly because of the widespread adoption of security precautions that have made newer hacking techniques more difficult to pull off. Two-factor authentication, for instance, is a common security feature on major websites these days, but is ineffective against cookie theft. (You should still definitely be using it wherever possible, though.)
“Additional security mechanisms like two-factor authentication can present considerable obstacles to attackers,” University of Illinois Chicago computer scientist Jason Polakis told Ars Technica. “That renders browser cookies an extremely valuable resource for them, as they can avoid the additional security checks and defenses that are triggered during the login process.”
A “large number” of channels hijacked this way are rebranded to impersonate large technology firms or cryptocurrency exchanges, and then begin running streams promising cryptocurrency giveaways in exchange for an up-front payment. Those that are sold off on account-trading markets fetch from $3 to $4000,…
