Google has reported that it disrupted the phishing attacks where threat actors had tried to hijack various YouTube accounts using cookie theft malware. The hijacker’s intent was to use those accounts to promote different crypto-currency scams.
The crypto-currency scams, which started in 2019, saw hackers recruit their targets on one Russian-speaking platform. They had the targeted unsuspecting persons with phishing emails that promised phoney collaboration opportunities.
According to Google, the scammers had managed to get the email addressed from YouTube channels. They are the email addresses YouTube channel owners post on their accounts for their business prospects.
The scammers would work to gain the trust of their targets first and afterwards would send them a URL via a PDF or email on their Google Drive. The scammers would assure their victims that the URL was for legit software. When the victims clicked on the link, it would redirect the victim to some malware landing page.
This automatically executed the malware, and it would proceed to steal the victim’s browser cookies using the infamous smash-and-grab technique. The malware has the ability to steal passwords and cookies.
The stolen cookies were then used to hijack all of the victim’s sessions, thus taking over their YouTube accounts. The account could either be repurposed for future crypto-currency scams or sold on the dark web, and the rate depends on the number of subscribers it has. Such accounts have a buying price ranging from $3 to $4,000.
Malware that is used in these attacks are Vidar, Vikro Stealer, Raccoon, RedLine, Predator The Thief, Nexus Stealer, Masad, Kantal, Grand Stealer and Azorult. Opensource tools include AdamantiumThief and Sorano. The malware that was most observed was able to steal both the cookies and passwords. Some of the samples used different anti-sandboxing methods, including download IP cloaking, encrypted files and enlarged files. A few were also observed showing fake error messages that required users to click through, thus continuing execution.
To add to their ill-intended scheme, scammers managed to register about 15,000 domains and accounts associated with fake companies. There were over one thousand websites that were used to spread the malware.
In an effort to take action against this spiteful activity, Google stated that it has so far managed to block about 1.6 million messages the scammers had sent other potential victims. Moreover, the search giant was able to post about 62,000 Safe Browsing alerts for the pages that were used for phishing. They also managed to block about 2,400 files and successfully managed to restore about 4,000 affected accounts.
“Enhanced detection efforts enabled us to observe as the attackers shifted from Gmail to other email providers. Based on our observation, the scammers mostly moved to aol.com, post.cz, seznam.cz and email.cz. Furthermore, in an effort of protecting our user, the activity was reported to the FBI for investigation”.
Improvements made by Google to protect their users from future attacks include heuristic rules that detect and then block social engineering & phishing emails, live streams for crypto-scams and theft of cookies. Detection of safe browsing and blocking of malware downloads and landing pages. YouTube has hardened Channel-transfer workflows. What’s more, authentication workflows were hardened by Account Security to notify and block users on possible sensitive actions.
Account users have also been requested to take all Safe Browsing alerts seriously. That way, antivirus detectors that trigger malware will be avoided. Users also need to perform virus scans before running any software to verify the legitimacy of a file. Users are also advised to ‘Enhance Safe Browsing Protection” on their Chrome browser. This feature increases warning on possible suspicious web files & pages.
Lastly, users should be on the lookout for encrypted archives, which often shunt antivirus detection scans adding to the risks of opening malicious files. Users should activate a multi-factor (2-steap verification) mode for account protection. This provides accounts with an added security layer in the event your account password is exposed.
Source : HackerCombat