YouTube Fake Crypto Doubling Scams

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

YouTube channel providers are being tricked into downloading malware. Once the malware is downloaded, it gives the attacker access to the channel. Using the access to the channel, they can rebrand it into a livestream, which takes viewers to another website with a bitcoin scam claiming their money will be doubled. Recovering funds lost here is very uncommon.

The country for this case study is not yet known.^{[1][2][3][4][5][6][7]}

About YouTube

"Cookie Theft, also known as “pass-the-cookie attack,” is a session hijacking technique that enables access to user accounts with session cookies stored in the browser. While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics."

"Phishing campaign targets YouTube creators with cookie theft malware by Ashley Shen (Google TAG) describes an ongoing cookie theft campaign targeting YouTube creators to push cryptocurrency scam videos."

"Many YouTube creators provide an email address on their channel for business opportunities. In this case, the attackers sent forged business emails impersonating an existing company requesting a video advertisement collaboration."

"The phishing typically started with a customized email introducing the company and its products. Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically."

"Speaking of the attacks, which he has been following for two years, Google says that fraudsters sent emails to content creators on YouTube with a proposal for cooperation. Once the channel owner agreed, the scammers sent a link to malware that appeared to be a legitimate URL." "Google provided an example of one of the phishing emails, and it shows that the hackers will ask the YouTube creator to try the product. In reality, the product is a ploy to trick the victim into installing malware on their computer."

"The attackers created more than 1,000 websites to increase the chances of fraud, including some that were presented as company sites that actually exist, including sites with Cisco VPN and Steam games. One of the websites was presented as a site with “Covid19 news software”. Google has linked to fraudsters about 15,000 accounts registered for this campaign alone and used to send phishing emails to YouTube channel owners, with links to victims to download malware."

"YouTube accounts were hacked by cookie-stealing malware. It was fake software that was configured to run silently on the victim’s computer." "[I]t steals user passwords and browser cookies, which may also contain credentials. The malware then sends the stolen data to the hacker’s command and control servers."

"Once a YouTube account is hijacked, the hackers may sell it to the highest bidder for up to $ 4,000. Or they could rename the YouTube channel to cryptocurrency giveaway scams that try to trick viewers into sending Bitcoin to a digital wallet with the promise of a higher payout." "TAG reports that hackers have also changed the names, profile pictures, and content of YouTube channels to impersonate a large technology or cryptocurrency trading company." "A significant number of stolen accounts were presented by fraudsters as orders of directors of technology companies or cryptocurrency exchanges, and used for fraud with cryptocurrencies. Other orders are sold on the black market, where their price ranges from 3 to 4,000 dollars, depending on how many subscribers the channel has."

"YouTube has previously battled scammers who took over channels they used to scam cryptocurrencies. In August last year, fraudsters took over several major YouTube channels that dealt with SpaceX’s first flight from NASA. Tens of thousands of viewers, unaware of the scams, clicked on videos that seemed to be the official streams of seemingly legitimate YouTube channels with hundreds of thousands of subscribers. They were greeted with messages about giving away Bitcoin, on the condition that they invest cryptocurrency in order to get back twice as much, which is a common tactic used in such scams."

"Google started tracking this campaign at the end of 2019, and since May this year alone, about 4,000 YouTube channels have been stolen as part of this same campaign."

"In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group and Safe Browsing teams, our protections have decreased the volume of related phishing emails on Gmail by 99.6% since May 2021. We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts. With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com). Moreover, to protect our users, we have referred the below activity to the FBI for further investigation."

"The seriousness of these frauds is also shown by the fact that the US Federal Trade Commission reported in March a significant increase in cryptocurrency frauds in the last year, with victims reporting a loss of almost $ 80 million in the period from October 2020 to March 2021.. One of the most popular tactics of fraudsters was fake gifts on social networking platforms. Victims often cannot make up for losses after such scams."

The country for this case study is not yet known.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

• Known history of when and how the service was started.
• What problems does the company or service claim to solve?
• What marketing materials were used by the firm or business?
• Audits performed, and excerpts that may have been included.
• Business registration documents shown (fake or legitimate).
• How were people recruited to participate?
• Public warnings and announcements prior to the event.

Don't Include:

• Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
• Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References