"Cookie Theft, also known as “pass-the-cookie attack,” is a session hijacking technique that enables access to user accounts with session cookies stored in the browser. While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics."


"Phishing campaign targets YouTube creators with cookie theft malware by Ashley Shen (Google TAG) describes an ongoing cookie theft campaign targeting YouTube creators to push cryptocurrency scam videos."


"Many YouTube creators provide an email address on their channel for business opportunities. In this case, the attackers sent forged business emails impersonating an existing company requesting a video advertisement collaboration."


"The phishing typically started with a customized email introducing the company and its products. Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically."


"Speaking of the attacks, which he has been following for two years, Google says that fraudsters sent emails to content creators on YouTube with a proposal for cooperation. Once the channel owner agreed, the scammers sent a link to malware that appeared to be a legitimate URL." "Google provided an example of one of the phishing emails, and it shows that the hackers will ask the YouTube creator to try the product. In reality, the product is a ploy to trick the victim into installing malware on their computer."


"The attackers created more than 1,000 websites to increase the chances of fraud, including some that were presented as company sites that actually exist, including sites with Cisco VPN and Steam games. One of the websites was presented as a site with “Covid19 news software”. Google has linked to fraudsters about 15,000 accounts registered for this campaign alone and used to send phishing emails to YouTube channel owners, with links to victims to download malware."


"YouTube accounts were hacked by cookie-stealing malware. It was fake software that was configured to run silently on the victim’s computer." "[I]t steals user passwords and browser cookies, which may also contain credentials. The malware then sends the stolen data to the hacker’s command and control servers."


"Once a YouTube account is hijacked, the hackers may sell it to the highest bidder for up to $ 4,000. Or they could rename the YouTube channel to cryptocurrency giveaway scams that try to trick viewers into sending Bitcoin to a digital wallet with the promise of a higher payout." "TAG reports that hackers have also changed the names, profile pictures, and content of YouTube channels to impersonate a large technology or cryptocurrency trading company." "A significant number of stolen accounts were presented by fraudsters as orders of directors of technology companies or cryptocurrency exchanges, and used for fraud with cryptocurrencies. Other orders are sold on the black market, where their price ranges from 3 to 4,000 dollars, depending on how many subscribers the channel has."


"YouTube has previously battled scammers who took over channels they used to scam cryptocurrencies. In August last year, fraudsters took over several major YouTube channels that dealt with SpaceX’s first flight from NASA. Tens of thousands of viewers, unaware of the scams, clicked on videos that seemed to be the official streams of seemingly legitimate YouTube channels with hundreds of thousands of subscribers. They were greeted with messages about giving away Bitcoin, on the condition that they invest cryptocurrency in order to get back twice as much, which is a common tactic used in such scams."


"Google started tracking this campaign at the end of 2019, and since May this year alone, about 4,000 YouTube channels have been stolen as part of this same campaign."


"In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group and Safe Browsing teams, our protections have decreased the volume of related phishing emails on Gmail by 99.6% since May 2021. We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts. With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com). Moreover, to protect our users, we have referred the below activity to the FBI for further investigation."


"The seriousness of these frauds is also shown by the fact that the US Federal Trade Commission reported in March a significant increase in cryptocurrency frauds in the last year, with victims reporting a loss of almost $ 80 million in the period from October 2020 to March 2021.. One of the most popular tactics of fraudsters was fake gifts on social networking platforms. Victims often cannot make up for losses after such scams."

YouTube channel providers are being tricked into downloading malware. Once the malware is downloaded, it gives the attacker access to the channel. Using the access to the channel, they can rebrand it into a livestream, which takes viewers to another website with a bitcoin scam claiming their money will be doubled. Recovering funds lost here is very uncommon.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.