Google uncovers phishing campaign targeting YouTube creators with cookie theft malware

 A new phishing campaign targeting YouTube makers with cookie-stealing malware has been discovering, Google has said.

Since the end of 2019, Google has claimed that financially motivate phishing campaigns targeting YouTubers.  with the help of cookie theft malware have been disrupted. The artists behind the campaign, which she credits to a group of hackers recruited from the Russian-language forum. are targeting. then fake collaboration opportunities.  and especially antivirus software. VPNs, not music players but also photo editing or online game demos.  Hijack their channel, then sell it to the highest bidder or use it to spread cryptocurrency scams.

In collaboration with the YouTube, Gmail, Trust & Safety, and Safe Browsing teams, Google’s protections have reduced the volume of associated phishing emails on Gmail by 99.6% since May 2021. It has blocked 1.6 million messages to targets, displayed approximately 62,000 safe browsing phishing page warnings.  blocked 2.4K files and successfully restored ~ 4K accounts.  With increased detection efforts, Google says it has watched attackers move from Gmail to other email providers. Google vice president of security engineering Eric Grosse said the campaigns, which originated in Iran.  represent a significant increase in the overall volume of phishing activity in the region.

Cookie theft, also known as a “pass-the-cookie attack”.   is a session hijacking technique that allows access to user accounts with session cookies stored in the browser. Although the technique has been around for decades.   its resurgence as a major security risk could be due to the wider adoption of multi-factor authentication.  (MFA) making abuse difficult and shifting the attention of attackers to tactics. social engineering.

YouTube creators provide an email address

Many YouTube creators provide an email address on their channel for business opportunities. In this case, the attackers sent spoofed commercial emails masquerading as an existing business requesting video ad collaboration.

Phishing usually started with a personalized email introducing the company and its products. Once the target accepted the deal, a malicious landing page disguised as a software download URL was emailed or sent as a PDF to Google Drive, and in a few cases, Google docs containing the phishing links. . Around 15,000 stakeholder accounts have been identified, most of which were created specifically for this campaign.

The attackers registered various domains associated with bogus companies and created several websites for distributing malware. To date, Google has identified at least 1,011 domains created just for this purpose. Some of the websites have impersonated legitimate software sites, such as Luminar, Cisco VPN, games on Steam.  and some were generated using online templates. During the pandemic, Google also discovered attackers posing as news providers with news software

We are continually improving our detection methods and investing in new tools and features.  that automatically identify and stop threats like this, ”said Ashley Shen, Threat Analysis Group.

Some of these improvements include:

Additional heuristic rules to detect and block phishing and social engineering emails, cookie hacking, and crypto-scam live feeds.

Safe Browsing further detects and blocks landing pages and malware downloads. with RAM Antivirus

YouTube has strengthened channel transfer workflows, automatically detecting and retrieving over 99% of pirated channels.

Account Security has strengthened authentication workflows to block and notify the user of potential sensitive actions.