Google detects cookie theft malware phishing campaign targeting YouTube creators

They’re targeting YouTube creators with cookie-stealing malware, Google said in a blog post-Thursday, outlining the findings of a new phishing campaign.

Apparently, since the end of 2019. Google has said that financially motivated phishing campaigns target YouTubers. assisted by cookie theft malware thwarting. The artists working on the campaign-which she attribute to a group of hackers recruited from the Russian-language forum targeting. Then fake collaboration opportunities. and especially antivirus software VPNs, not music players. but also photo editing or online game demos. Hijack their channel, then sell it to the highest bidder or use it to spread cryptocurrency scams.

Working with the YouTube, Gmail, Trust & Safety, and Safe Browsing teams, Google’s protections have diminished the volume of associated phishing emails on Gmail by 99.6% since May 2021. It has blocked 1.6 million messages to targets and displayed approximately 62,000 safe browsing. phishing page warnings blocked 2.4K files and recovered ~ 4K accounts. Google says it has watched attackers move from Gmail to other email providers as detection efforts. Then Google vice president of security engineering Eric Grosse said campaigns originated in Iran. Represent a significant increase in the overall volume of phishing activity in the region.

Cookie theft, also known as a “pass-the-cookie attack”. is a session hijacking technique that allows access to user accounts with session cookies stored in the browser. Although the technique has been around for decades. Its resurgence as a major security risk could be due to the wider adoption of multi-factor authentication. (MFA) making abuse difficult and shifting the attention of attackers to tactics. social engineering.

YouTube creators provide an email address

Most YouTubers have an email address on their channel for business opportunities In this case, the attackers sent spoofed commercial emails masquerading as an existing business requesting video ad collaboration.

Phishing usually starts with a personalized email introducing the company and its products. Once the target accepted the deal, a malicious landing page disguised as a software download URL was emailed or sent as a PDF to Google Drive, and in a Google doc in the few cases, with phishing links inside. Around 15,000 stakeholder accounts have been identified, most of which were created specifically for this campaign.

The attackers registered various domains associated with bogus companies and created several websites for distributing malware. To date, Google has identified at least 1,011 domains created just for this purpose. Some of the websites impersonate even legitimate software sites, like Luminar, Cisco VPN, or games on Steam. and some were generated using online templates. During the pandemic, Google also discovered attackers posing as news providers with news software

We continue to develop our detection techniques and invest in new tools and features that automatically identify and stop threats like this, says Ashley Shen of the Threat Analysis Group.

Some of these improvements include:

Additional heuristic rules to detect and block phishing and social engineering emails, cookie hacking, and crypto-scam live feeds.

Safe Browsing further detects and blocks landing pages and malware downloads. with RAM Antivirus

YouTube has strengthened channel transfer workflows, automatically detecting and retrieving over 99% of pirated channels.

Account Security has strengthened authentication workflows to block and notify the user of potential sensitive actions.