This campaign involved hijacking YouTube accounts that were sold on underground marketplaces for prices ranging from $20 up to $10,000. The Google Threat Analysis group has attributed these attacks to a group of hackers recruited in a Russian speaking forum.
This news comes after Google’s support forums have been flooded for two years with complaints about accounts getting hijacked even with two-factor authentication enabled.
More than 4,000 accounts were hijacked in the campaign. Content creators on the site were tricked with offers for business collaborations, including sponsorship deals.
Sponsorships are common for YouTube creators and one of the primary ways they utilise the site as a source of income. Companies come to them and offer to pay for YouTubers to review, promote or simply reference their products or services in their videos to their followers.
Common sponsorship products include antivirus software, VPN, music players, photo editors, beauty and healthcare products, online games and PC optimizers.
The hackers in this instance lured in victims with sponsorship deals, asking account owners to install and test various applications and then publish a review.
They used products similar to those listed above but hid malware in the apps they are connected to. Some impersonated legitimate software sites, such as Luminar, Cisco VPN, games on Steam, and some were generated using fake online templates.
Once the YouTube creators installed the demo app, the installer dropped malware on their devices which extracted login credentials and authentication from their browsers, sending the stolen data to a remote server.
This then bypassed the need to enter a two-factor authentication token, as the hackers then used the authentication cookies stored on the hacked users device. They then moved to change the account’s recovery email and phone numbers, in addition to all passwords.
Having locked the victims out of their accounts, the hackers then sold these accounts on underground marketplaces for stolen identities. Many of these hacked accounts were sold on the site Trade Groups, which operates an Amazon-like service where users can pay for stolen social media accounts.
Google says it has identified more than 15,000 email accounts that have been used by this group to reach out and communicate with victims, in addition to 1,011 websites that host malware-infected apps.
While some accounts were rebranded by the hijackers permanently, turned into vehicles to promote various scams, often surrounding cryptocurrency, most accounts found their way back to their proper owners.
Google said that it has learned from this campaign and has now improved Gmail’s security defences, lessons it has integrated into its browser’s Safe Browsing system as well.
But these changes alone won’t solve the threat posed by hackers, especially as they are reportedly moving away from email to third-party instant messaging apps, where companies like Google can’t scan, block, or alert victims of any suspicious links.
Scammers continue to evolve and develop their tactics to keep up to date, meaning maintaining layers of security is more important now than ever. While multi-factor authentication was got around in this instance, in the vast vast majority of cases it provides a significant boost to your security.
As learning and recovering from breaches takes considerable time, it's critical we also keep up to date, with new ways we can keep our devices and accounts more secure.