Google: Phishing Campaign Targets YouTube Creators - Hexafusion Blog | Hexafusion
  • Contact Us At


  • E-Mail Us @

Hexafusion Blog

Google: Phishing Campaign Targets YouTube Creators

Google's Threat Analysis Group (TAG) today disclosed the details of a financially motivated phishing campaign that has targeted YouTube creators with "cookie theft" malware, and which it has been disrupting, since 2019.

Cookie theft, which TAG also describes as a "pass-the-cookie" attack, is a session hijacking tactic that gives an attacker access to user accounts with session cookies stored in the browser. It's a technique that has been around for years, TAG says. Its resurgence may be linked to wider adoption of multifactor authentication prompting criminals to focus on social engineering.

The attackers are attributed to a group of actors recruited in a Russian-speaking forum, TAG wrote in a blog post. They usually lure targets with an email about an advertising collaboration opportunity; for example, a demo for antivirus software, VPN, music players, photo editing, or online games. Many YouTube creators put their email address on their channel, TAG noted.

When the victim agrees to a deal, the attackers send a malware landing page disguised as a software download URL via email or a PDF on Google Drive. Researchers report the attackers registered various domains associated with fake companies and built multiple websites to deliver malware. They've identified at least 1,011 domains created for this purpose so far.

Once the fake software is run, it executes a cookie-stealing malware, takes browser cookies from the victim's machine, and uploads them to the attackers' command-and-control servers. Most of the malware could steal both user passwords and cookies, researchers noted. Some used anti-sandboxing techniques such as enlarged files, encrypted archive, and IP cloaking.

Some hijacked accounts were sold on account-trading markets, where they went for $3 to $4,000 USD depending on the subscriber count. Many were rebranded for cryptocurrency scam livestreaming, in which the channel name, profile picture, and content were replaced with cryptocurrency branding to spoof large tech or cryptocurrency exchange firms. Attackers livestreamed videos promising cryptocurrency giveaways in exchange for an initial contribution.

Read more details here.

Original author: Dark Reading Staff, Dark Reading
Execs From Now-Defunct GigaTrust Arrested in $50M ...
Removing Friction for the Enterprise With Trusted ...


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 06 February 2023

Captcha Image

By accepting you will be accessing a service provided by a third-party external to

Customer Login

News & Updates

Hexafusion is proud to announce the launch of our new website at The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our services for ...

Contact us

Learn more about what Hexafusion can do for your business.

250 - 997 Seymour Street
Vancouver, British Columbia V6B 3M1