Η Google blocked 1,6 million phishing emails since May 2021 that were part of a malware campaign aimed at hacking YouTube accounts and promoting cryptocurrency scams.
According to Threat Analysis Team (TAG from Threat Analysis Group) of Google, which since late 2019 has been disrupting phishing campaigns run by a network of Russian hackers targeting YouTubers with "highly tailored" phishing emails and cookie-stealing malware.
The group's main goal was to breach YouTube accounts for displaying live-stream scams offering free cryptocurrencies in exchange for an initial contribution. The other main source of revenue for the group was the sale of channels YouTube from $ 3 to $ 4.000, depending on how many subscribers each channel has.
As of May 2021, Google reports that it has blocked 1,6 million messages on targets, displayed 62.000 phishing alerts Safe browsing and has restored approximately 4.000 compromised accounts.
Fishing messages delivered malware designed to steal cookies from browsers.
Although the “pass-the-cookie” attack is not new, it is very effective: it does not bypass multi-factor authentication (MFA), but works even when users enable MFA on an account because the session cookie modes intercepted after the user has already been authenticated twice, by a code accessand a smartphone for example.
Once the malware runs, the cookie uploads to the attacker's servers offering him the bill on the plate.
Google attributes the campaign to a hack-for-hire group recruited to a Russian-speaking forum.
Hackers then trick targets with fake business emails, such as the opportunity to monetize a demo for antivirus software. VPN, music players, photo editing software, or online games. But then the attackers steal the YouTube channel and either sell it or use it to broadcast live-stream cryptocurrency scams.
Google also identified 1.011 domains created to deliver malware. The domains represented well-known technology sites, such as Luminar, Cisco VPN, and various games on Steam.
The company reports that hackers run malicious cookie theft software periodically to reduce the chance of being detected by security software.
