Since 2019, Youtubers from all around the world were being targeted by phishing scams that made them lose control of their social media accounts. The accounts that were being hijacked were consequently being sold online for very minimal prices.
Google has a Threat Analysis Group (TAG) which on October 20,2021 posted a report on the issue finally attributing these hacks to a Russian speaking group recruited on Russian language forums. That is not to say that everyone in the group was a Russian since it was not a geotagged forum.
The hackers usually targeted smaller Youtubers with below 100,000 followers so as to not draw too much attention to themselves. They approached the target as a sponsor of their videos and this could range from VPN providers, music gears, photo editors and many more.
In order to avail the sponsorship, the sponsee usually has to download the app on their phone and show their experience to their viewers. In this case, the apps that were made to download on the Youtubers’ phones were laced with malwares.
Malware used by the hackers are RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad, and Kantal, all sold on underground hacking forums. Open-source malware, available on GitHub, such as AdamantiumThief and Sorano, was also used in some attacks.
These malwares then collected all the user id logins and authentication cookies from the browser. The cookies are then used to access the Youtube account and soon after that all login ids and passwords are changed to lock the target out of their own accounts.
Even two-factor authentications are bypassed like this which is extremely dangerous. For two years users have expressed their frustrations over this demanding more secure avenues for themselves.
The servers discovered that were being used to carry out these scams has 15,000 fake email accounts and over 1,000 websites that hosted the malware. Google also discovered that over 4,000 people have lost their accounts to this group over the last 2 years.
The accounts were not used for any grander purpose except to sell them off online for very little money. Some Youtubers even spotted their accounts being sold on websites.
Some of the accounts were used to peddle cryptocurrency schemes that looked very suspicious to begin with. Several handles sought to impersonate Elon Musk and Bill Gates amongst others to peddle the fake schemes.
Even though accounts have been returned to their owners, Google has not been able to do the same for all of the accounts. However, having learnt all they could from these attacks, Google has updated some of its defensive systems and also added the Safe Browsing system to its software as well.
