How Google disrupted a massive phishing campaign against YouTubers

Google has released a report outlining how their Threat Analysis Group disrupted an extensive phishing campaign targeting YouTubers with Cookie Theft malware since 2019. Stopping the hackers in their tracks was no mean feat, considering the campaign involved 15,000 fake accounts and sending over 1 million messages to targets.

Read on to find out what the campaign involved and how Google managed to disrupt their efforts. 

How the phishing campaign worked

According to Google, the hackers behind this campaign were recruited in a Russian-speaking forum, specifically to target YouTube influencers. As such, this was no ordinary phishing campaign attempting to coax people into giving away their passwords on fake websites — this was Cookie Theft. These hackers encouraged YouTubers to download a type of malware that steals login cookies, thus allowing them to hijack sessions and take over entire YouTube accounts. Once they had access to these accounts, the hackers could change the passwords and lock out the rightful owners entirely. 

But how exactly did they convince YouTubers to do this?

Impersonating real companies

A big part of making income as an influencer on YouTube is accepting sponsorships from companies and talking about their products on their channel. Because of this, many YouTubers include an email address on their channel for business-related messages and sponsorship opportunities. 

The hackers exploited this fact and sent realistic emails to YouTubers where they impersonated real companies offering to pay them in exchange for a video advertisement on their channel. These emails often contained links to Google Docs or PDFs hosted on Google Drive explaining more about the alleged products. These documents contained more links to apparent demos and software downloads for things like anti-virus software, VPNs, or online games, but really they were links to landing pages containing the malware. 

Once the influencer downloaded the malware and hackers took over their channel, they either sold it to the highest bidder on the dark web or used it to promote cryptocurrency scams to the influencer’s followers.

So far, Google has identified 15,000 actor Google accounts related to this scam, as well as 1,011 domains featuring fake landing pages.

How Google responded

Google says they are continuously improving detection methods and investing in tools to prevent attacks like this. They have decreased the number of phishing emails related to this scam on Gmail by 99.6% since May 2021. They have also restored over 4,000 stolen accounts, blocked 1.6M messages to potential targets, blocked 2,400 file downloads, and displayed over 62,000 phishing page warnings to users. The company says they have also passed on this information to the FBI to investigate further. 

YouTube has also made it harder for users to transfer channels and has made 2-factor authentication a requirement for all content creators.

Wrap up

While it’s great that Google and YouTube have made these necessary improvements, it’s an unfortunate reality that anyone online, particularly those with a sizable following, need to be constantly vigilant when it comes to scammers and hackers and know the signs to look out for. If your browser has a safe browsing mode, turn it on. Take your browser warnings seriously, and always scan unknown files with an antivirus before downloading them. Treat emails from unknown senders as suspicious, and familiarize yourself with the signs of social engineering and phishing websites.

Share on Twitter, Facebook, Google+