Google’s Threat Analysis Group (TAG) has released a report detailing an elaborate cookie theft malware campaign that has targeted YouTube creators since late 2019.
TAG identified the group of actors as “Hack-for-Hire attackers” recruited via Russian-speaking forums. The objective, as advertised, was to deliver a “pass-the-cookie attack,” which would enable access to user accounts with session cookies stored in the browser. Attackers utilized an arsenal of well-known and open-sourced malware. However, with wider adoption of multi-factor authentication (MFA), attacks relied mainly on social engineering tactics.
YouTubers were targeted through phishing emails introducing a software product and requesting video advertisement for that product. Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive. Consequently, a large number of channels were hijacked, and others were sold on the underground market. Their value ranged depending on the total number of subscribers.
At least 1,011 domains linked to these attacks were identified, connecting roughly 15,000 actor accounts specifically created for this campaign.