Google has blocked 1.6 million phishing emails since May 2021 that were part of a malware campaign to hijack YouTube accounts and promote cryptocurrency scams.
According to Google's Threat Analysis Group (TAG), since late 2019 it's been disrupting phishing campaigns run by a network of Russian hacker subcontractors who've been targeting YouTubers with "highly customized" phishing emails and cookie-stealing malware.
The main goal of the group has been to hijack YouTube accounts to live-stream scams that offer free cryptocurrency in exchange for an initial contribution. The group's other main revenue source was selling hijacked YouTube channels from $3 to $4,000 depending on how many subscribers a channel has.
As of May this year, Google says it has blocked 1.6 million messages to targets, displayed 62,000 Safe Browsing phishing alerts, and restored around 4,000 hijacked accounts.
The phishing emails delivered malware designed to steal session cookies from browsers. Though the "pass-the-cookie" attack is not new, it's nifty: it doesn't bypass multi-factor authentication (MFA), but works even when users enable MFA on an account because the session cookie is stolen after the user has already authenticated with two factors, such as a password and a smartphone. Once the malware executes, the cookie is uploaded to the attacker's servers for account hijacking.
"Its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics," TAG analyst Ashley Shen explains.
Google attributed the campaign to a group of "hack-for-hire" actors "recruited in a Russian-speaking forum". The contractors then trick targets with fake business opportunities, such as the chance to monetize a demo for antivirus software, VPN, music players, photo-editing software or online games. But then the attackers hijack the YouTube channel and either sell or use it to live-stream cryptocurrency scams.
It's easy for the hackers to acquire a target's email since YouTubers often post them on their channel hoping for business opportunities just like ones the phishing attackers offer.
"Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically," notes Shen.
Google has also identified 1,011 domains that were created for malware delivery. The domains impersonated well-known tech sites, including Luminar, Cisco VPN, games on Steam.
Shen notes these contractors are running the cookie-stealing malware in non-persistent mode to lower the chance of security products alerting the user of a past compromise.