How hackers are hijacking YouTube accounts to run ads for cryptocurrency scams

Hacker
(Image credit: Caroline Purser/Getty)

Google's Threat Analysis Group has shared details about a long-running phishing campaign targeting YouTubers. The campaign, apparently being carried out by hackers recruited in a Russian-speaking forum, uses "fake collaboration opportunities" to attract YouTubers, then hijacks their channel using a "pass-the-cookie attack," with the goal of either selling it off or using it to broadcast—of course—cryptocurrency scams.

The attacks begin with a phishing email offering a promotional collaboration. Once the deal is agreed, the YouTuber is sent a link to a malware page disguised to look like a download URL. This is where the real action begins: When the target runs the software, it pulls cookies from their PCs and uploads them to "command and control servers" operated by the hackers. 

Having those cookies, as Google explains, "enables access to user accounts with session cookies stored in the browser." This means hackers don't need to worry about stealing the YouTuber's login credentials, because the cookies makes remote sites think they're already logged in.

"Cookie theft" is actually an old digital hijacking technique that's enjoying a resurgence among unscrupulous actors, possibly because of the widespread adoption of security precautions that have made newer hacking techniques more difficult to pull off. Two-factor authentication, for instance, is a common security feature on major websites these days, but is ineffective against cookie theft. (You should still definitely be using it wherever possible, though.)

"Additional security mechanisms like two-factor authentication can present considerable obstacles to attackers," University of Illinois Chicago computer scientist Jason Polakis told Ars Technica. "That renders browser cookies an extremely valuable resource for them, as they can avoid the additional security checks and defenses that are triggered during the login process."

A "large number" of channels hijacked this way are rebranded to impersonate large technology firms or cryptocurrency exchanges, and then begin running streams promising cryptocurrency giveaways in exchange for an up-front payment. Those that are sold off on account-trading markets fetch from $3 to $4000, depending on the number of subscribers they have.

Google said it's reduced the amount of phishing emails related to these attacks by 99.6% since May 2021, and has blocked roughly 1.6 million emails and 2,400 files sent to targets. As a result, attackers are starting to move to non-Gmail providers, "mostly email.cz, seznam.cz, post.cz and aol.com." But the big challenge in cybersecurity, as always, is the human factor. Phishing emails can be remarkably deceptive (I've fallen for at least one myself, and I know about this stuff), and once the wheels start turning on that process it can be very difficult to stop. 

The promise of "something for nothing" has great allure too: The big Twitter hack that occurred in 2020 (which actually began with a "phone spear phishing attack") siphoned more than $100,000 from victims in a single day, simply by promising to double their Bitcoin contributions as a way of "giving back to the community."

Andy Chalk

Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.