Since at least 2019, hackers have been kidnapping high-profile people. Youtube channels. Sometimes they transmit cryptocurrency scams, sometimes they just auction off account access. Now, Google has detailed the technique hackers used to compromise thousands of YouTube creators in the last two years.
Cryptocurrency scams and account takeovers themselves are not a rarity; Look no further than last fall’s Twitter hack for an example of such chaos on a grand scale. But the sustained attack on YouTube accounts stands out both for its breadth and the methods hackers used, and an old maneuver that is nonetheless incredibly difficult to defend.
It all starts with a phish. The attackers send YouTube creators an email that appears to come from a real service, such as a VPN, photo-editing app, or antivirus offering, and offer to collaborate. They propose a standard promotional arrangement: show our product to your viewers and we will pay you a fee. It’s the kind of transaction that happens every day for the luminaries of YouTube, a bustling influencer payment industry.
However, clicking the link to download the product takes the creator to a malware landing site instead of the real one. In some cases, the hackers posed as well-known amounts such as Cisco VPNs and Steam games, or pretended to be COVID-19-focused media outlets. Google says it has found more than 1,000 domains to date that were specifically designed to infect unwitting YouTubers. And that only hints at the scale. The company also found 15,000 email accounts associated with the attackers behind the scheme. The attacks do not appear to have been the work of a single entity; rather, Google says, several hackers advertised account acquisition services on forums in Russian.
Once a YouTuber inadvertently downloads the malicious software, it takes specific cookies from your browser. These “session cookies” confirm that the user has successfully logged into their account. A hacker can upload those stolen cookies to a malicious server, allowing them to impersonate the already authenticated victim. Session cookies are especially valuable to attackers because they eliminate the need to go through any part of the login process. Who needs credentials to sneak into the Death Star detention center when you can borrow a stormtrooper’s armor?
“Additional security mechanisms such as two-factor authentication can present significant obstacles for attackers,” says Jason Polakis, a computer scientist at the University of Illinois, Chicago, who studies cookie-stealing techniques. “That makes browser cookies an extremely valuable resource for them, as they can bypass the security checks and additional defenses that are triggered during the login process.”
These “cookie passing” techniques have been around for more than a decade, but they are still effective. In these campaigns, Google says it observed hackers using about a dozen open-source, out-of-the-box malware tools to steal browser cookies from victims’ devices. Many of these hacking tools could also steal passwords.
“Account hijacking attacks remain a rampant threat, because attackers can take advantage of compromised accounts in many ways,” says Polakis. “Attackers can use compromised email accounts to spread scams and phishing campaigns, or they can even use stolen session cookies to drain funds from the victim’s financial accounts.”
Google did not confirm which specific incidents were related to the cookie theft wave. But there was a notable increase in acquisitions in August 2020, when hackers hijacked multiple accounts with hundreds of thousands of followers and changed the channel names to variations of “Elon Musk” or “Space X,” then they broadcast live bitcoin giveaway scams. It’s unclear how much revenue either of them generated, but presumably these attacks have been at least moderately successful given how widespread they have become.
This type of YouTube account acquisition increased in 2019 and 2020, and Google says it brought in several of its security teams to address the issue. Since May 2021, the company says it has detected 99.6 percent of these phishing emails in Gmail, with 1.6 million messages and 2,400 malicious files blocked, 62,000 phishing page warnings displayed, and 4,000 restores of successful accounts. Now, Google researchers have observed how attackers target creators who use email providers other than Gmail, such as aol.com, email.cz, seznam.cz, and post.cz, as a way to avoid detection of Google phishing. Attackers have also started trying to redirect their targets to WhatsApp, Telegram, Discord, or other messaging apps to stay out of sight.
“A lot of hijacked channels were rebranded for live streaming of cryptocurrency scams,” explains Google TAG in a blog post. “The channel name, profile picture and content were replaced by the cryptocurrency brand to impersonate large cryptocurrency or technology exchange firms. The attacker live-streamed videos promising crypto gifts in exchange for an initial contribution. “
Although two-factor authentication cannot stop these malware-based cookie thefts, it is an important protection against other types of scams and phishing. Beginning November 1, Google will require YouTube creators who monetize their channels to activate double factor for the Google account associated with their YouTube Studio or YouTube Studio Content Manager. It’s also important to pay attention to Google’s “Safe Browsing” warnings about potentially malicious pages. And, as always, be careful what you click and what attachments you download from your email.
The advice for YouTube viewers is even simpler: If your favorite channel is pushing a crypto deal that seems too good to be true, take a side look at Dramatic Chipmunk and move on.
This story originally appeared in wired.com.