Google Discovers Ongoing Malware Campaign on YouTube - Threatwire

By Shannon Morse, ThreatWire

This story hits close to home because I just gave a talk at a YouTuber event about how to protect your YouTube account from getting hijacked. Google’s Threat Analysis Group has been researching an ongoing campaign, first spotted back in 2019, that targets YouTube creators in phishing attacks meant to steal their passwords. The campaigns often promise a sponsorship or partnership with a brand and ask the creator to download a file, which is actually malware. The criminals behind these attacks seem to stem from job ads on Russian forums seeking hackers for hire, who could use social engineering tactics and phishing emails to push malware to content creators.

The job descriptions included collecting the YouTube account contact email, registering a Gmail account, send out social engineering and phishing attacks, and tricking victims into downloading the malware. The hired hackers could earn between 25% to 70% of revenue from hijacked YouTube channels.

Multiple malware variants are being used in these attacks in order to steal the targets credentials and browser cookies, which can allow the attacker to hijack the targets YouTube account in a pass-the-cookie attack. The malware could avoid sandboxing by using enlarged files, encrypted archives and download IP cloaking, according to a TAG Security Engineer. The attacker can use the stolen browser cookies to pose as the victim, already authenticated in a browser, which means they wouldn’t need to go through the login process and could circumvent a 2FA login code.

Many of the YouTube accounts were used to conduct live streaming cryptocurrency scams and sold for up to $4000 via the dark web. Google’s cybersecurity team has cut down on phishing emails and blocked many attacks, but attackers are shifting away from the Gmail accounts towards .cz accounts, so it’s still ongoing.

Google is still investigating and reported these attacks to the FBI. Since May, Google has restored about 4000 YouTube influencer accounts that were targeted in these campaigns. Creators should use 2FA, with hardware tokens being the best option, even though codes could be bypassed in this specific attack scenario and never download files sent from unknown accounts.