Google blocked 1,6 million messages phishing scams from May 2021 that were part of a malware campaign aimed at hacking YouTube accounts and promoting cryptocurrency scams.
According to Threat Analysis Team (TAG by the Threat Analysis Group) of Google, which from the end of 2019 stops the cyber "fishing" campaigns carried out by a network of Russian hackers targeting YouTubers with "highly customized" cyber "phishing" messages and malicious cookie theft software .
The main goal of the group was to hack YouTube accounts for her projection live-stream scams που προσφέρουν free cryptocurrencies in exchange for an initial contribution. The group's other main source of income was the sale of channels YouTube from $ 3 to $ 4.000, depending on how many subscribers each channel has.
As of May 2021, Google reports that it has blocked 1,6 million targeted messages, displayed 62.000 Safe Browsing alerts, and repaired some 4.000 compromised accounts.
Fishing messages delivered malware designed to steal cookies from browsers.
Although the pass-the-cookie attack is not new, it is very effective: it does not bypass multi-factor authentication (MFA), but it works even when users activate the MFA on an account because the session cookie is stolen after the user has already been authenticated twice, by a password and a smartphone for example.
Once the malware runs, the cookie uploads to the attacker's servers offering him the bill on the plate.
Google attributes the campaign to a hack-for-hire group recruited to a Russian-speaking forum.
Hackers then trick targets with fake business emails, such as the opportunity to monetize a demo for antivirus software. VPN, music players, photo editing software, or online games. But then the attackers steal the YouTube channel and either sell it or use it to broadcast live-stream cryptocurrency scams.
Google also found 1.011 domains created to deliver the malware. The domains impersonated well-known tech sites, such as Luminar, Cisco VPN, and various games on Steam.
The company reports that hackers run malicious cookie theft software periodically to reduce the chance of being detected by security software.
