Massive Account-Stealing Phishing Scam Targeting YouTube Creators

by | October 26, 2021 | Cybersecurity News

Google discovered an extensive cookie-swiping phishing scam targeting YouTube content providers and stealing accounts. A new report from the tech giant shows the extent of the damage.

15,000 Fake Accounts Involved In The Phishing Scam

A new report from Google revealed information about a phishing scam targeting YouTubers. The extensive campaign involved a jaw-dropping 15,000 fake accounts and more than a million messages to potential victims. Multiple cybercriminals carried the attacks. The company reported it had recovered approximately 4,000 compromised accounts since late 2019. The threat actors’ goal was to infect the victim’s computer with cookie-stealing malware, which is much more aggressive than sending a link to someone and waiting for them to get sloppy with their account credentials.

YouTube did not disclose who was recruiting the attackers. However, it said that they were using Russian-language forums to advertise. Big YouTube accounts have become a target for hackers.

The phishing scam involved recruiting 'freelance' hackers.
An example of the advertisements posted to forums trying to recruit hackers to phish YouTubers. Credit: Google

The Scheme’s Mechanisms

The scammers contacted YouTubers, offering bogus ad, antivirus software, VPN, or other software deals on their channel. If the creator agreed, they would receive a link that, once clicked, would infect their device with malware programs, typically designed to steal cookies and account credentials.

Example of a phishing email message. Credit: Google

The phishing typically started with a customized email introducing the company and its products. Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically”, Google said in its report.

Then, the hackers would ask targets to continue conversations on messaging apps to avoid detection.

Because Google actively detects and disrupts phishing links sent via Gmail, the actors were observed driving targets to messaging apps like WhatsApp, Telegram or Discord.”

Because many creators use MFA (multi-factor authentication), the cookies may have been a valuable target. For example, if the attackers stole the YouTuber’s cookie, they may have been able to take over the channel and change the passwords. And, since these accounts are tied to Google accounts, the scammers got access also to Gmail, Google Drive, Photos, and other services.

“Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive, and download IP cloaking. A few were observed displaying a fake error message requiring user click-through to continue execution”, the report writes.

Fake error window requiring user click-through. Credit: Google

Google explained that scammers sold the stolen accounts for anywhere from $3 to $4,000.

This malicious campaign and other similar ones is why Google announced that YouTube content creators would be required to enable two-step verification. In addition, Google is giving away thousands of security keys to “high-risk users” every year. Of course, this doesn’t stop attackers who’ve taken control of your device but makes the attempts more expensive to conduct, thus slowing the bad guys down a bit.

The tech giant is actively fighting hackers in other ways, by blocking their messages and files, as well as alerting users when they’re about to visit an unsecured website. But, considering much value the creators’ accounts hold, all these efforts won’t discourage cybercriminals from trying to steal them. As a result, phishing scams will probably stick around for the rest of our online life.


The Verge Google details extensive phishing campaign targeting YouTubers

Google Phishing campaign targets YouTube creators with cookie theft malware


Photo by Christian Wiediger on Unsplash

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.