Google has blocked 1,6 million phishing emails since May 2021 as part of a malware campaign aimed at hacking YouTube accounts and promoting cryptocurrency fraud.
According to Threat Analysis Team (TAG by the Threat Analysis Group) of Google, which from the end of 2019 stops the cyber "fishing" campaigns carried out by a network of Russian hackers targeting YouTubers with "highly customized" cyber "phishing" messages and malicious cookie theft software .
The group's main goal was to breach YouTube accounts for displaying live-stream scams offering free cryptocurrencies in exchange for an initial contribution. The other main source of revenue for the group was the sale of channels YouTube from $ 3 to $ 4.000, depending on how many subscribers each channel has.
As of May 2021, Google reports that it has blocked 1,6 million targeted messages, displayed 62.000 Safe Browsing alerts, and repaired some 4.000 compromised accounts.
Fishing messages delivered malware designed to steal cookies from browsers.
Although the pass-the-cookie attack is not new, it is very effective: it does not bypass multi-factor authentication (MFA), but it works even when users activate the MFA on an account because the session cookie is stolen after the user has already been authenticated twice, by a password and a smartphone for example.
Once the malware runs, the cookie uploads to the attacker's servers offering him the bill on the plate.
Google attributes the campaign to a hack-for-hire group recruited to a Russian-speaking forum.
Hackers then trick targets with fake business emails, such as the opportunity to monetize a demo for antivirus software. VPN, music players, photo editing software, or online games. But then the attackers steal the YouTube channel and either sell it or use it to broadcast live-stream cryptocurrency scams.
Google also identified 1.011 domains created to deliver malware. The domains represented well-known technology sites, such as Luminar, Cisco VPN, and various games on Steam.
The company reports that hackers run malicious cookie theft software periodically to reduce the chance of being detected by security software.