Hackers are using stolen cookies to hijack YouTube accounts for profit

Earlier this week, Google’s Threat Analysis Group revealed that they have been disrupting a cookie theft attack campaign targeting YouTube since late 2019. The campaign targets YouTube accounts for financial gain, baiting YouTubers with false collaboration opportunities. 

The YouTube accounts are stolen using a decades-old cyberattack technique called a “pass-the-cookie attack”. The YouTube accounts targeted are sent phishing emails disguised as collaboration opportunities. If an account takes the bait, they are sent a disguised download link that will actually download this pass-the-cookie malware. 

According to the Threat Analysis Group, once the malware is downloaded onto the victim’s computer, it steals the cookies from the victim’s web browser and uploads them to the threat actors command and control servers. Though the malware can be persistent, the Threat Analysis Group states “these actors are running all malware in non-persistent mode as a smash-and-grab technique.” This is because the malware is not detected as it executes, and non-persistent modes leave less evidence so security software cannot warn victims if they are exploited. 

Many of the hijacked accounts were wiped and rebranded as cryptocurrency accounts, live-streaming and uploading crypto scams by impersonating tech companies and crypto exchange firms. A large number were also sold on account trading markets, with some highly subscribed accounts selling for up to $4000.  

Cookie Theft Malware 

Google’s Threat Analysis Group observed that most of the cookie-stealing malware used by these hackers was readily available for free on popular distribution platform GitHub. The malware used varied highly, with actors using a range of malware from free to premium to open source. According to the Threat Analysis Group, “Most of the observed malware was capable of stealing both user passwords and cookies.”  

Resurgence of Cookie Theft 

Cookie theft is an old tactic used by threat actors to access user accounts by stealing cookies directly from the victim’s browser. Pass-the-cookie attacks seemingly fell out of fashion for a while as improvements in web design made it more difficult for threat actors to steal cookies through exploits and abuse. 

Cookie theft attacks such as this pass-the-cookie attack have been seeing more of a resurgence recently, as security in other sectors of the web has gotten better. As Google’s Threat Analysis Group states, the resurgence could be in part due to the mass adoption of multi-factor authentication making it harder for hackers to gain access to accounts. 

Hack-for-Hire 

The hackers mainly originate from a Russian-speaking hack-for-hire forum that offered work to hackers for a cut of the stolen channel’s revenue. The Threat Analysis Group provided examples of the two types of employment offered by the forum. 

The forum would pay 25% of the channel’s revenue for successfully registering a Gmail account and tricking the target into downloading the cookie theft malware. The channel would further pay out 70% of the stolen channel’s revenue if the hacker-for-hire sourced a contact email for the target accounts. and prepared personalised phishing emails for the targets.