Massive wave of account hijacks hits YouTube creators

mood · Sep 22, 2019

Massive wave of account hijacks hits YouTube creators
appears to be a coordinated attack
September 23, 2019
https://www.zdnet.com/article/massive-wave-of-account-hijacks-hits-youtube-creators/

Over the past few days, a massive wave of account hijacks has hit YouTube users, and especially creators in the auto-tuning and car review community, a ZDNet investigation discovered following a tip from one of our readers.

Several high-profile accounts from the YouTube creators car community have fallen victim to these attacks already. The list includes channels such as Built [Instagram post, YouTube channel], Troy Sowers [Instagram post, YouTube channel], MaxtChekVids [YouTube channel], PURE Function [Instagram post, YouTube Support post, YouTube channel], and Musafir [Instagram post, YouTube channel].

[...] especially over the weekend, with tens of complaints flooding Twitter [1, 2, 3, 4, 5, 6, 7, 8, 9, and many more] and the YouTube support forum [1, 2, 3, 4, 5, 6, 7, 8, 9, and many more].
COORDINATED CAMPAIGN BYPASSED 2FA
The account hacks are the result of a coordinated campaign that consisted of messages luring users to phishing sites, where hackers logged account credentials.
Click to expand...

Minimalist · Sep 24, 2019

Google pushes back on scale of YouTube phishing threat

YouTube’s owner Google has pushed back against suggestions that up to 23 million user accounts on the video platform may be at risk of falling victim to a targeted phishing campaign, following a number of reports of high-profile influencers – many but not all of them active within the online car tuning and modification community – having their accounts compromised.
Click to expand...

https://www.computerweekly.com/news/252471181/Google-pushes-back-on-scale-of-YouTube-phishing-threat

mood · Jun 4, 2020

YouTube channel credentials in high demand on hacker forums
June 3, 2020
https://www.bleepingcomputer.com/ne...-credentials-in-high-demand-on-hacker-forums/

An increasing number of offers for stolen YouTube credentials has been noted recently on hacker and cybercrime forums, where access to accounts is sold in bulk.
Sellers advertise large lists of credentials that are verified for the availability of a YouTube channel and subscriber count.

YouTube community support is filled with complaints from users that lost access to their channel and were demanded a ransom.
Researchers at IntSights external threat intelligence company found that there’s an increased demand in YouTube credentials on underground markets, which also fuels data verification side businesses.

One post advertised an auction a log for 990,000 YouTube active channels that started at $1,500; anyone paying $2,500 got it without contest. The seller was looking to cash in fast, like other actors, for fear of victims reporting the mischief and reclaiming access to their accounts.
Click to expand...

IntSights: Stolen YouTube Credentials Growing in Popularity on Dark Web Forums

But over the past few weeks, IntSights researchers have observed yet another new trend in black markets and cybercrime forums that has rapidly growing demand: stolen credentials for prominent YouTube accounts.

While there are many ways for the attackers to target YouTube channel owners, it seems the recent accounts were cropped from databases containing Google credentials as well as from malware-infected computers. In the past, attackers used sophisticated phishing campaigns in combination with reverse proxy toolkits like Modlishka to defeat Google’s two-step verification (one-time password).
However, none of the current sellers mention 2FA, which may mean these accounts did not opt in for this additional security step.
Click to expand...

mood · Oct 21, 2021

Google: YouTubers’ accounts hijacked with cookie-stealing malware
October 20, 2021
https://www.bleepingcomputer.com/ne...counts-hijacked-with-cookie-stealing-malware/

Google says YouTube creators have been targeted with password-stealing malware in phishing attacks coordinated by financially motivated threat actors.

Researchers with Google's Threat Analysis Group (TAG), who first spotted the campaign in late 2019, found that multiple hack-for-hire actors recruited via job ads on Russian-speaking forums were behind these attacks.
The threat actors used social engineering (via fake software landing pages and social media accounts) and phishing emails to infect YouTube creators with information-stealing malware, chosen based on each attacker's preference.
Click to expand...

Once delivered on the targets' systems, the malware was used to steal their credentials and browser cookies which allowed the attackers to hijack the victims' accounts in pass-the-cookie attacks.

"Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking."
Click to expand...

Sold for up to $4,000 on underground markets
A significant number of YouTube channels hijacked in these attacks were later rebranded to impersonate high-profile tech executives or cryptocurrency exchange firms and used for live streaming cryptocurrency scams.

Others were sold on underground account-trading markets, where they're worth anything between $3 to $4,000, depending on their total number of subscribers.
Shen added that Google's Threat Analysis Group cut down phishing emails linked to these attacks on Gmail by 99.6% since May 2021.

"We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts," Shen said.
Click to expand...

Google: Phishing campaign targets YouTube creators with cookie theft malware

Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. Since late 2019, our team has disrupted financially motivated phishing campaigns targeting YouTubers with Cookie Theft malware.

The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams.
Click to expand...

Rasheed187 · Oct 23, 2021

mood said: ↑

Google: YouTubers’ accounts hijacked with cookie-stealing malware
October 20, 2021
https://www.bleepingcomputer.com/ne...counts-hijacked-with-cookie-stealing-malware/

Google: Phishing campaign targets YouTube creators with cookie theft malware
Click to expand...

The question is, what type of AV were all of these infected people using? And I would also like to know a bit more about how this cookie stealing malware operates, strangely enough not that many anti-malware tools are focused on this. Only HitmanPro.Alert recently added anti-cookie grabbing protection, but SpyShelter doesn't block access to browser cookies AFAIK. Apparently, this stuff can even bypass 2FA account protection, what the hell?

Log in or Sign up

Massive wave of account hijacks hits YouTube creators

mood Updates Team

Minimalist Registered Member

mood Updates Team

mood Updates Team

Rasheed187 Registered Member