YouTube content authors have been subject to financially motivated phishing campaigns since the late XNUMX, according to Google cybersecurity researchers. The search giant's Threat Analysis Group (TAG) has shared details of these thwarted campaigns being orchestrated with the Cookie Theft malware. "In cooperation with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group, and the Safe Browsing teams, our protections have reduced the volume of phishing emails in Gmail by XNUMX% since May XNUMX." , shares TAG scholar Ashley Shen in a weblog. mail. TAG attributes the campaigns to threat actors recruited through a furtive Russian-speaking discussion forum.
Smash and grab
Shen claims that hackers lure their target with fake opportunities for cooperation, either before using infected software to hijack their channel, which they then sell to the highest bidder (up to €XNUMX), or use it to deliver scams cryptocurrencies. The cookie theft technique employed by the attackers allowed them to hijack the victim's user accounts via session cookies stored in their web browsers. “While the technique has been around for decades, its revival as a critical security hazard could be due to broader adoption of multi-factor authentication (MFA) that complicates abuse and shifts attackers' attention to tactics. 'Social Engineering', Shen Shares. Interestingly, Shen says that the malware used in the campaign was executed in a non-persistent mode to ensure that it would not persist on a compromised system long enough to attract the attention of security products.
Migrated to another place
Commenting on the size of the campaigns, Shem says that TAG has identified more than one with zero domains, such as around fifteen with zero user accounts created solely for the purpose of orchestrating the scam. The email accounts have been used to send phishing emails that contain links that redirect malware landing pages to professional emails from YouTube authors. TAG has helped block around XNUMX million messages and has even managed to restore access to around XNUMX accounts. "With further detection sacrifices, we've seen attackers move from Gmail to other email vendors (most notably email.cz, seznam.cz, article.cz, and aol.com)," Shen concludes, hinting that the campaign only changed the email. dealers and may still be active.