Google on Wednesday reported it has tracked and disrupted an email phishing campaign tied to Russian-speaking hackers that has targeted YouTube users since 2019 as part of a cryptocurrency scam effort.
In a blog post published Wednesday, Google’s Threat Analysis Group (TAG) detailed how the hackers had used “cookie theft malware” to compromise the YouTube accounts in order to hijack the channels, sell them or use them for broadcasting cryptocurrency scams.
The hackers, who Google said were recruited from a Russian-speaking “hack-for-hire” forum, used emails proposing faked collaboration opportunities with the YouTube channels to send malware or phishing email links to the users.
More than 1,000 domains — with some posing as COVID-19 news sites — were built for the purpose of this scam, and to fake social media pages. The malware used in the operation was capable of stealing user passwords and stealing cookies already in use by the YouTube user to gain control of the accounts.
Once hijacked, the accounts were either sold for up to $4,000 depending on the amount of subscribers, or used to livestream cryptocurrency scam videos, with the channels rebranded to pose as a major tech or cryptocurrency company.
Google, which owns YouTube, stressed that YouTube had detected and recovered 99 percent of the hijacked channels, and that it was taking further steps to heighten security against this type of hacking campaign. The FBI had also been made aware of the hacking efforts.
“We are continuously improving our detection methods and investing in new tools and features that automatically identify and stop threats like this one,” the blog post read.
Google has taken steps to cut down on malicious phishing emails in recent months, blocking 1.6 million emails since May alone, and restoring around 4,000 accounts. The blog noted that due to heightened awareness of cybersecurity risks and users implementing multifactor authentication, hackers were turning to methods such as hijacking browser cookies to execute attacks.
The new warning of hijacked accounts came a week after Google’s TAG reported that an Iranian hacking group was hijacking accounts to conduct espionage potentially for the Iranian government, and as cybersecurity incidents continue to rise this year, including ransomware attacks against key U.S. organizations.