SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Google uncovers phishing campaign targeting YouTube creators with cookie theft malware
Thu, 21st Oct 2021
FYI, this story is more than a year old

A new phishing campaign targeting YouTube creators with cookie theft malware has been uncovered, according to Google.

Since late 2019, Google says it has disrupted financially motivated phishing campaigns targeting YouTubers with Cookie Theft malware. The actors behind this campaign, which it attributes to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams.

In collaboration with YouTube, Gmail, Trust - Safety and Safe Browsing teams, Google's protections have decreased the volume of related phishing emails on Gmail by 99.6% since May 2021. It blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts. With increased detection efforts, Google says it has observed attackers shifting away from Gmail to other email providers.

Cookie Theft, also known as “pass-the-cookie attack,” is a session hijacking technique that enables access to user accounts with session cookies stored in the browser. While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics.

Many YouTube creators provide an email address on their channel for business opportunities. In this case, the attackers sent forged business emails impersonating an existing company requesting a video advertisement collaboration.

The phishing typically started with a customised email introducing the company and its products. Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically.

The attackers registered various domains associated with forged companies and built multiple websites for malware delivery. To date, Google has identified at least 1,011 domains created solely for this purpose. Some of the websites impersonated legitimate software sites, such as Luminar, Cisco VPN, games on Steam, and some were generated using online templates. During the pandemic, Google also uncovered attackers posing as news providers with a “COVID-1919 news software.

"We are continuously improving our detection methods and investing in new tools and features that automatically identify and stop threats like this one," Ashley Shen, threat analysis group says.

Some of these improvements include:

  • Additional heuristic rules to detect and block phishing - social engineering emails, cookie theft hijacking and crypto-scam livestreams.
  • Safe Browsing is further detecting and blocking malware landing pages and downloads.
  • YouTube has hardened channel transfer workflows, detected and auto-recovered over 99% of hijacked channels.
  • Account Security has hardened authentication workflows to block and notify the user on potential sensitive actions.