Google’s Thread Analysis Group has shed light on the methods of hackers who hijack YouTube channels and use them for cryptocurrency scams.
Cookie theft is still a common account hijacking technique adopted by criminal groups. Have been tracking & disrupting this group with multiple security teams since I joined Google. Happy to share our results and finding in this blog. https://t.co/V9kfSe00g9
— Ashley Shen (@ashl3y_shen) October 20, 2021
Around 4,000 YouTube channels hacked over the past months
In a blog article published last week, a member of Google’s Thread Analysis Group, Ashley Shen, describes how hackers capture YouTube channels and sell them on account trading websites. According to her, hacked channels change hands for up to 4,000 USD, depending on the number of subscribers.
Very often, the accounts are rebranded and used for cryptocurrency scams. In March 2021, Cryptocoin.News spoke with Kevin Luge, the owner of one of the largest meme-compilation channels on YouTube, who fell victim to a hijacking attack.
By his account, he received an email from someone claiming to be a representative for the mobile game Raid Shadow Legends offering a sponsorship deal, and was lured into opening a file attached to the mail. Few hours afterwards, his YouTube channel H-Matter was renamed and rebranded to resemble an official live-streaming channel of Cardano (ADA).
These seemingly official channels are in turn supposed to lure viewers into sending cryptocurrency to the scammers address, under the promise of a higher return. Shen’s report shows that this is a common occurrence, as Google has restored around 4,000 accounts and returned them to their rightful owners.
Hackers shift to Social Engineering
The report also comments on how account stealing activities shift due to the countermeasures taken to prevent hacks. As Gmail uses tight filters against spam and phishing mails, attackers are increasingly using other email providers.
Furthermore, Shen reports that phishing emails become more personalized, often targeting a specific YouTube channel, instead of sending mass fishing emails. This method is also known as spearphishing. Oftentimes, the attackers impersonate an existing company and ask for a video advertisement collaboration.
Shen’s article also explains that Russian forums are involved in recruiting hackers to social engineer YouTubers and steal their accounts.
Due to the increasing usage of Multi-Factor-Authentication, hackers have developed a new type of attack for hacking logged-in accounts. The “pass-the-cookie” attack steals the user’s cookie from a logged-in session and sends it to the attacker, allowing the attacker to gain temporary account access.
Up to 3 million leaked email addresses linked to CoinMarketCap
Most recently, the cryptocurrency price information website CoinMarketCap may have been hacked as well. A total of 3.1 million email addresses were leaked on hacker forums.
CoinMarketCap has confirmed that the email addresses correlate with their user base, but states that no passwords were leaked. Moreover, CoinMarketCap claims to have no evidence of a server-leak on their behalf, speculating that the email addresses come from a third-party source.