Since at least the end of 2019, a massive malware campaign has been trying to take over the channels of video creators on YouTube to spread crypto scams in this way.
Google says cyber gangs are increasingly targeting YouTube creators. The groups are said to try to steal passwords via phishing to use the creators’ channels to spread crypto scams.
The report comes from Google’s Threat Analysis Group, which encountered the first forms of the campaign on Russian forums in late 2019. In its report, Google explains the methodology. The campaign starts via phishing, in which the video maker receives emails from them, for example, offering sponsorship deals for a VPN service. However, by downloading the product, the influencer gets a lot of malware.
In total, more than a thousand domains are believed to have been linked to the attacks, with some 15,000 accounts created for the campaigns. Those domains then pretend to be Cisco, makers of Steam Games or media companies.
Interestingly enough, the malware steals passwords and the session cookies needed for multi-step verification so that a criminal can take over the YouTuber’s account. This has to do with the rise of two-step verification; Ashley Shen, TAG security engineer, writes in a blog post: “Most of the malware we found was capable of stealing both passwords and cookies. In addition, some of the samples used various techniques to evade sandboxes, including large files, encrypted archives, and hiding download IPs.”
For example, a large part of these acquired channels was used for all kinds of fraudulent crypto campaigns in which crypto coins were ‘given away’. Others were sold on the black market.
In itself, it is not new that phishing is used to try to take over accounts or channels. Last year, for example, we saw that with the hacks of various Twitter accounts of public figures, who then also started spreading crypto scams. However, the campaign on YouTube is very large and long-lasting. According to Google itself, the security teams are now busy combating those scams. About 99.6% of the phishing emails on Gmail linked to these types of attacks have been blocked since May this year.