Google's Threat Analysis Group has shared details about a long-running phishing campaign targeting YouTubers. The campaign, apparently being carried out by hackers recruited in a Russian-speaking forum, uses “fake collaboration opportunities” to attract YouTubers, then hijacks their channel using a “pass-the-cookie attack,” with the goal of either selling it off or using it to broadcast—of course—cryptocurrency scams.
The attacks begin with a phishing email offering a promotional collaboration. Once the deal is agreed, the YouTuber is sent a link to a malware page disguised to look like a download URL. This is where the real action begins: When the target runs the software, it pulls cookies from their PCs and uploads them to “command and control servers” operated by the hackers.
Having those cookies, as Google explains, “enables access to user accounts with session cookies stored in the browser.” This means hackers don't need to worry about stealing the YouTuber's login credentials, because the cookies makes remote sites think they're already logged in.
“Cookie theft” is actually an old digital hijacking technique that's enjoying a resurgence among unscrupulous actors, possibly because of the widespread adoption of security precautions that have made newer hacking techniques more difficult to pull off. Two-factor authentication, for instance, is a common security feature on major websites these days, but is ineffective against cookie theft. (You should still definitely be using it wherever possible, though.)
“Additional security mechanisms like two-factor authentication can present considerable obstacles to attackers,” University of Illinois Chicago computer scientist Jason Polakis told Ars Technica. “That renders browser cookies an extremely valuable resource for them, as they can avoid the additional security checks and defenses that are triggered during the login process.”
A “large number” of channels hijacked this way are rebranded to impersonate large technology firms or cryptocurrency exchanges, and then begin running streams promising cryptocurrency giveaways in exchange for an up-front payment. Those that are sold off on account-trading markets fetch from $3 to $4000, depending on the number of subscribers they have.
Google said it's reduced the amount of phishing emails related to these attacks by 99.6% since May 2021, and has blocked roughly 1.6 million emails and 2,400 files sent to targets. As a result, attackers are starting to move to non-Gmail providers, “mostly email.cz, seznam.cz, post.cz and aol.com.” But the big challenge in cybersecurity, as always, is the human factor. Phishing emails can be remarkably deceptive (I've fallen for at least one myself, and I know about this stuff), and once the wheels start turning on that process it can be very difficult to stop.
The promise of “something for nothing” has great allure too: The big Twitter hack that occurred in 2020 (which actually began with a “phone spear phishing attack”) siphoned more than $100,000 from victims in a single day, simply by promising to double their Bitcoin contributions as a way of “giving back to the community.”