A recent report from Google’s Threat Analysis group highlights a phishing campaign targeting YouTube content creators. Hackers successfully hijacked thousands of channels, which were either sold off or used to launch financial scams against the channel’s viewers.
While Google says it’s actively working against the threat and has restored many of the compromised YouTube channels, the campaign underscores why cybersecurity practices are important — on YouTube and everywhere else.
How is this latest YouTube phishing scam pulled off?
YouTube did not disclose who was behind the attack, but the report states the campaign recruited its team on a Russian-speaking message board. While we may not know exactly who was behind it, we know the group used “cookie theft” attacks to pull off the heists.
Unlike phishing scams that use fake login pages, malicious links, or other techniques to siphon usernames, passwords, and other personal data, cookie theft attacks target the cookies a browser saves when you’re logged in.
Cookie theft attacks take more effort — and are more expensive — than your average phishing scam, and are only effective if the user remains logged in and doesn’t delete their cookies before the hacker can use the login cookies on their end. However, using the login session cookies bypasses the need to login entirely, circumventing additional authentication requirements like two-factor authentication (2FA) codes, security questions, or USB security keys. That makes cookie theft attacks extremely dangerous, and considering YouTube’s recent 2FA login requirement for all YouTube creators, it’s likely cookie theft is one of the only viable options left to hackers.
Like other phishing and malware attacks, a successful cookie theft requires the user to download and install malicious files or apps to their computer. To pull this off, hackers used social engineering techniques to trick victims into fake — but nonetheless convincing — ad partnerships over email.
For example, some of the “partnerships” were for VPNs, anti-virus apps, or video games the YouTuber was asked to “review.” Once the YouTuber agreed to test the product, the hackers sent malware-infected files that collects the user’s YouTube channel login cookies. The files were encrypted so that they could bypass anti-malware and anti-virus apps, making it difficult to intercept the files before they were on the user’s computer.
With those cookies in hand, the hackers could then take over the channel without ever needing the channel’s username or password. They would use the hijacked channels to launch financial scams against the YouTuber’s audience, such as fake donation campaigns, fake cryptocurrency schemes, and more. In some cases, the group sold off smaller channels to other hacking groups for anywhere from $4 to $4000.
How you can stay safe
According to Google’s report, its teams have “decreased the volume of related phishing emails on Gmail by 99.6% since May 2021,” and blocked 1.6 million messages, more than 62,000 phishing pages, and 2,400 malicious files. It also reported the hacker activity to the FBI.
As for the affected channels, YouTube says it successfully restored around 4,000 accounts.
That’s good news for those who fell victim to the scam, but these numbers illustrate just how large (and dangerous) phishing campaigns are. It’s why we routinely recommend turning 2FA for all your accounts. (If you don’t have it enabled on YouTube, now is a good time to turn it on.)
But yes, this particular phishing campaign also shows it’s possible to bypass 2FA security — no cybersecurity feature is 100 per cent effective. However, 2FA makes it much harder for hackers to break-in in the first place, as does making unique passwords for every account.
Our guide on spotting online scams will help you avoid the common pitfalls that grant hackers access to your devices and data; don’t forget to regularly scan your PC and any files you download with reliable anti-virus and anti-malware apps and turn on your browser’s highest browsing security mode. Google’s report also includes a list of domains the hacking group has used for its attacks that you should review and add to your browser or anti-malware app’s block list.