Since late 2019, Google has tracked and disrupted the scammers, described as “a group of hackers recruited in a Russian-speaking forum.” Combining cookie-based malware and social engineering tactics, their operational model isn’t very sophisticated nor radically innovative, but it’s proven to be extremely effective, given the method’s popularity.
The operators typically start by sending an email to the YouTube account holder, conveying interest in a collaboration. The “from” address is usually a falsified business email that impersonates a real company. The promotions could be anything from anti-virus software or VPNs to online games and editing apps.
Just like any other influencer deal, the email will then discuss a standard promotional arrangement. The YouTuber will be required to promote the product by showcasing the entire process of downloading it and opening it up for their viewers.
But when the creators click on the download link sent via email or shared through Google Drive, they’re transferred to a malware download site. According to Google, they’ve discovered at least 1,011 domains and 15,000 email accounts used for this purpose.
Many operators have impersonated market-leading companies such as Steam, Cisco, and Luminar. There were also a couple that took advantage of the pandemic situation and promoted “Covid19 news software.”
Once the unassuming victim downloads the software, it takes the browser cookies from the victim’s machines and sends them over to the threat actor’s servers. The malware used for this is easily available on Github.
Some of the common ones include Vikro Stealer, Vidar, Raccoon, AdamantiumThief, Nexus Stealer, and Azorult.
“Most of the observed malware was capable of stealing both user passwords and cookies,” Google’s analysis reads.
When the “session cookies” are stolen, hackers can essentially pose as the victim. They don’t require passwords or need to pass through other authentication loops. Once inside, the hackers immediately change the victim’s recovery email address and password. Then, they control the accounts and can lock the creators out. The cookies can also be used to steal funds from the victim’s financial accounts.
TheRecord discovered an abnormality when several regular users sold hundreds of accounts on a daily basis. This indicated that the users weren’t the original owners of the accounts. The prices for hijacked accounts on trading markets ranged from $3 to $4,000, based upon the number of subscribers.
Many channels were used by hackers to livestream crypto offers. The profile would be changed to imitate legitimate trading agencies or established corporations—many used “Space X” or “Elon Musk” variations. The scammers would give away crypto offers in exchange for an initial contribution, thereby maximizing the monetization of the hack through the victim’s audience.