Since the end of 2019 at the latest, a network of hackers has been hijacking the channels of YouTube creators and luring them with fake cooperation opportunities to spread cryptocurrency fraud or to sell the accounts to the highest bidder.

This emerges from a new report from Google’s Threat Analysis Group (TAG), which says that financially motivated phishing campaigns targeting the video platform are being disrupted with cookie-stealing malware. The actors behind the infiltration have been attributed to a group of hackers recruited from a Russian-speaking forum.

Automatic GitHub backups

“Cookie Theft, also known as a ‘pass-the-cookie attack’, is a session hijacking technique that allows access to user accounts with session cookies stored in the browser,” says Ashley Shen. from TAG called. “Although the technology has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA), which makes abuse more difficult and attackers’ focus on social engineering tactics.”

As of May, the internet giant found it blocked 1.6 million messages and restored nearly 4,000 YouTube influencer accounts affected by the social engineering campaign.

Fake Bug Window

In contrast, other cryptocurrency scam channels were renamed, where the opponent broadcast live streaming videos promising cryptocurrency giveaways in return for an initial post, but not before the channel’s name, profile picture, and content were changed to Counterfeit large technology or cryptocurrency exchanges.

In the attacks, a malicious link was sent to the channel owners under the trick of video ad collaborations for antivirus software, VPN clients, music players, photo editing apps, or online games which, when clicked, redirect the recipient to a malware landing site, some from impersonating legitimate software sites like Luminar and Cisco VPN, or masquerading as media companies focused on COVID-19.

Prevent data breaches

Google said it found no less than 15,000 accounts behind the phishing messages and 1,011 domains specifically designed to deploy the deceptive software responsible for running cookie-stealing malware that is designed to remove passwords and Extract authentication cookies from the victim’s computer and upload them on the actor’s command -and-control server.

The hackers would then use the session cookies to take control of a YouTube creator’s account, effectively bypass two-factor authentication (2FA), and take steps to recover passwords and the account’s recovery email and phone numbers to change.

After Google intervened, the perpetrators were seen targeting messaging apps like WhatsApp, Telegram, and Discord in order to bypass Gmail’s phishing protection, let alone switch to other email providers like aol.com , email.cz, seznam. cz and post.cz. Users are strongly advised to secure their accounts with two-factor authentication to prevent such takeover attacks.

Source link

Leave a Reply