Nearly two years after YouTube accounts were hijacked even when two-factor authentication was enabled, Google’s security team has announced that it has finally identified the root cause of the attack
Google’s Threat Analysis Group tracks groups involved in disinformation campaigns, government-backed hacking, and financially motivated abuse.Starting in late 2019, our Our team has interrupted a financially motivated phishing campaign targeting YouTubers with Cookie Theft malware.
We believe that the group behind this campaign is a group of hackers recruited on Russian-speaking forums with fake collaboration requests (typically antivirus software, VPNs, music players, photo editing, and online game demos). They lure the target, hijack the channel and sell it to the highest bidder or use it to broadcast cryptocurrency scams.
In a report released by the Google Threat Analysis Group (TAG), the incident was attributed to “a group of hackers recruited from a Russian-speaking forum”.
According to TAG, the hackers were active in offering different kinds of business opportunities to victims via email.
Youtubers were commonly lured with claims of sponsorship deals and victims were asked to install and test various applications and publish their reviews.
Typically, antivirus software, VPN clients, music players, photo editing software, PC optimization software, and online games were used.
But the hackers seemed to have hidden malware inside that review app.
When a YouTube creator receives the demo app and installs it, the installer drops malware on the device.
This malware was extracting login credentials and authentication cookies from Youtuber’s browsers and sending the stolen data to a remote server.
The hacker then uses the authentication cookie to access the YouTuber’s account without the need to enter a two-factor authentication (2FA) token, change the password, and change the account’s recovery email and phone numbers.
Once the victim is locked out of their account, the hackers typically sell the hijacked YouTube channel on the underworld market for stolen identities.
For example, MarcoStyle told us that he received an offer to test and review a new game optimization tool called Orio.
As soon as I installed it, I knew something was wrong.
I knew I had 2FA turned on, but I still couldn’t access my account
The person who emailed me never responded, and a few days later someone told me my account was being sold online
Most of the accounts have been returned to their original owners
When we also tracked how these accounts were abused, we found that some of the accounts had been permanently rebranded and had new owners, but most of the accounts listed on Trade Groups were able to return to their original owners
The channel names, profile images, and content were all replaced with cryptocurrency brand names, impersonating large technology companies and cryptocurrency exchange companies.
The attackers were live-streaming videos promising cryptocurrency giveaways in exchange for an initial donation
The accounts were rebranded with the identities of Bill Gates, Elon Musk, and Linus Torvalds, all of whom were apparently promoting some sort of cryptocurrency Ponzi scheme.
Google said it has identified more than 15,000 email accounts that the group used to communicate with victims, as well as 1,011 websites that hosted malware-infected apps.
Some of the websites were disguised as legitimate software sites, such as Luminar, Cisco VPN, and Steam games, or were generated using online templates.
Malware commonly used by hackers included RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad, Kantal, and The list included information exploiters sold on underground hacking forums.
Open source malware available on GitHub, such as AdamantiumThief and Sorano, were also used in some of the attacks.
Google says that to date it has recovered the accounts of over 4,000 YouTube creators hacked by this group.
The FBI has jurisdiction over who is behind these attacks and has stated that they have been notified.
Google also says it has found a forum where the group behind the attack was recruiting partners to conduct phishing and social engineering attacks.
According to a series of ads, partners were offered either a 25% or 75% cut of the resale value of the stolen accounts, depending on the level of involvement and complexity of the phishing.
According to the prices listed on Trade Groups, accounts sold on the site were usually in the range of $20 to $10,000.
Google said it has strengthened its Gmail security measures in response to the attack and has integrated them into the browser’s Safe Browsing system.
Comments