This Wednesday (20), Google reported that YouTube creators are being targeted by cyber attacks aimed at stealing their accounts from phishing scams made by hired criminals.

According to researchers from the Google Threat Analysis Group (TAG), who found the first occurrences of this scam at the end of 99, those responsible are recruited from job postings in forums where users communicate in Russian, with promises of a base payment plus part of the profits made from videos of the stolen channel.

Criminals used social engineering tactics, sent via email, which directed victims to fake websites that simulated social networks or large platforms such as Steam or Cisco in attempts to

phishing. When these pages were accessed, they would infect computers with malicious information theft agents used in credential theft and pass-the-cookie attacks (pass the cookie, in free translation) where the attacker captures users’ internet cookies and use them to access content on another device. Want to catch up on the best tech news of the day? Access and subscribe to our new channel on youtube, Canaltech News. Every day a summary of the main news from the tech world for you!

Example of message trying to trick users into falling for the scam. (Image: Reproduction/Google) cookies are small files created by websites and saved on your computer the user by the browser. These documents contain information that allows the page to identify the visitor. Its theft and execution on other machines can give a lot of victim information to criminals. The following malware was identified in the attacks, according to the TAG: RedLine

Life



Predator The Thief

Nexus stealer

Azorult

Raccoon

Grand Stealer

Vikro Stealer

Masad

Kanta Danger Google has identified in total more than a thousand internet domains with connections to these attacks, and at least thousand Youtube accounts created specifically to be used in this scam, containing links that send those who access them to pages where malware is installed. Channels that were compromised in this campaign were renamed to appear to be pages connected with top tech executives or cryptocurrency brokers (exchanges), and were used to propagate scams involving the cryptoactives market . The Threat Analysis Group also claims that some hacked accounts were sold in credential trading markets, with prices ranging from US$3 (about R$ , at the current price) up to US$4,000 (approximately R$ 50 thousand), depending on the number of subscribers.

To Ashley Shen, Security Engineer of TAG, although social engineering scams have been around for decades, they are growing by 2021 due to more general adoption of users of online services of multi-factor authentication, which makes the process of credential theft difficult, requiring more effort to gain access to an account.

Shen concludes by stating that the TAG, since May 2021, managed to block 22.6% of emails used in these scams.

Source: BleepingComputer