Russian crypto scammers target YouTube channels
Russian cryptocurrency scammers are targeting YouTube, according to a report from Google’s Threat Analysis Group (TAG).
These cybercriminals use cookie theft malware, also known as a “pass-the-cookie-attack”, to take over YouTube channels and post cryptocurrency scams.
“Pass-the-cookie-attacks” enable hackers to access user accounts via session cookies that are stored in the browser.
As a result, this allows attackers to access the passwords and YouTube account information of their victims.
Google has attributed the phishing cookie-theft attacks and phishing campaigns to a group of hackers recruited via a Russian-speaking forum.
The attacks have been ongoing since late 2019, TAG stated.
According to TAG, the hackers “lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games)”.
They then “hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams”.
These phishing attempts are commonly initiated with emails sent to YouTube channel owners.
Once the channel owner agrees to the collab, the malware—made to look like a software download URL—is sent via email or a PDF on Google Drive.
In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group, and Safe Browsing teams, TAG said it had lowered the volume of phishing emails by 99.6% since May 2021.
“We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts,” they said.