Google’s Threat Analysis Group has recently published a report detailing how over the past few years phishing hackers have hijacked popular YouTube accounts to make money through cryptocurrency scams and other methods.
Since late 2019, Google has tracked and disrupted the scammers, described as “a group of hackers recruited in a Russian-speaking forum.” Combining cookie-based malware and social engineering tactics, their operational model is not very sophisticated nor radically innovative, but nevertheless, extremely effective given the method’s popularity.
The operators typically start by sending an email to the YouTube account holder, conveying interest in a collaboration. The “from” address is usually a falsified business email that impersonates a real company. The promotions could be anything from anti-virus software or VPN to online games and editing apps.
Just like any other influencer deal, the email will then discuss a standard promotional arrangement. The YouTuber would be required to promote the product by showcasing the entire process of downloading it and opening it up for their viewers.
But when the creators click on the download link sent via email or shared through Google Drive, they’re transferred to a malware download site. According to Google, they have discovered at least 1,011 domains and 15,000 email accounts used for this purpose.
Many have impersonated market-leading companies like Steam, Cisco, and Luminar. There were also a couple that took advantage of the pandemic situation and promoted “Covid19 news software.”
Once the unassuming victim downloads the software, it takes the browser cookies from the victim’s machines and sends them over to the threat actor’s servers. The malware used for this is easily available on Github.
Some of the common ones include Vikro Stealer, Vidar, Raccoon, AdamantiumThief, Nexus stealer, and Azorult. “Most of the observed malware was capable of stealing both user passwords and cookies,” according to Google’s analysis.
When the “session cookies” are stolen, hackers can essentially pose as the victim. They do not require passwords or need to pass through other authentication loops. Once inside, the hackers immediately change the victim’s recovery email address and password. Then they control the accounts and can lock the creators out. The cookies can also be used to steal funds from the victim’s financial accounts.
According to an investigative report by TheRecord.Media, they tracked a stolen U.S.-based gamer MacroStyle’s account to a Russian marketplace. This online market, called Trade Groups, features an Amazon-like interface where users could sell their social media accounts.
TheRecord discovered an abnormality when several regular users sold hundreds of accounts on a daily basis. This indicated that the users were not the original owners of the accounts. The prices for hijacked accounts on trading markets ranged from $3 to $4,000 based upon the number of subscribers.
Many channels were used by hackers to live-stream crypto offers. The profile would be changed to imitate legitimate trading agencies or established corporations; many used “Space X” or “Elon Musk” variations. The scammers would give away crypto offers in exchange for an initial contribution, thereby maximizing the monetization of the hack through the victim’s audience.
From The Epoch Times