Hackers used cookie theft to hijack YouTube Accounts

Attackers used cookie theft in order to hijack the channels of high-profile YouTube creators. It’s no secret that cryptocurrency scams are running rampant. Recently, hacker-for-hire networks have taken to posing as YouTubers and luring creators with bogus collaboration opportunities. Once they’re inside their channels, these criminals broadcast cryptocurrency scams or sell the accounts to the highest bidder.

Cookie theft, in a Threat Analysis Group report

Google’s Threat Analysis Group (TAG) announced a new report, saying they disrupted financially motivated phishing campaigns targeting the video-streaming site. So, Google attributed the cookie theft malware to a Russian-speaking forum of hackers.

Ashley Shen, from TAG, explained that this kind of “pass-the-cookie-attack” is a hijacking technique. Thus, it enables access to accounts, using the session cookies stored in the browser.

Although this technique is old, hackers decided to came to it again, as users resort to multi-factor authentication. So, this made them shift to social engineering.

In the last six months, the internet giant has identified and blocked 1.6 million messages and restored 4,000 YouTube accounts. As a result, they compromised them in social engineering campaigns. These channels sell for anywhere between $3 and $4,000, depending on their subscribers on account trading markets.

Hackers made use of other channels to perpetrate cryptocurrency scams. Then, they altered these channels by renaming them, changing profile pictures, and adding videos. In order to attract more victims, they were promising cryptocurrency giveaways in return for an initial contribution.

They used malicious links

In order to succeed, attackers sent channel owners malicious links. They seemed to promote collaborations for anti-virus programs, music players or VPN clients. Also, some proposed online games or photo editing apps. When users clicked those, attackers redirected them to a malware landing site. This one looked like real and legitimate software websites, such as Cisco VPN or Luminar. Or, it masqueraded as media outlets focused on COVID-19.

So, Google found 15,000 accounts and 1,011 domains that were created to deliver cookie stealing malware. The malware locates passwords and authentication cookies on the victim’s machine and sends them to the command-and-control server.

Hackers would use the session cookies to take control of YouTube creators’ accounts, including changing their recovery email and phone numbers. In order to do this, they would be able to avoid the two-factor authentication.

Anyone can stay away from the malicious landing websites, using an effective Windows native ad blocker. And Ad Guardian Plus is one of the best out there.