Since at least 2019, hackers have been hijacking high-profile YouTube channels. Sometimes they broadcast cryptocurrency scams, sometimes they simply auction off access to the account. Now, Google has detailed the technique that hackers-for-hire used to compromise thousands of YouTube creators in just the past couple of years.
Cryptocurrency scams and account takeovers themselves aren’t a rarity; look no further than last fall’s Twitter hack for an example of that chaos at scale. But the sustained assault against YouTube accounts stands out both for its breadth and for the methods the hackers used, and an old maneuver that’s nonetheless incredibly tricky to defend against.
It all starts with a phish. Attackers send YouTube creators an email that appears to be from a real service—like a VPN, photo editing app, or antivirus offering—and offer to collaborate. They propose a standard promotional arrangement: Show our product to your viewers and we’ll pay you a fee. It’s the kind of transaction that happens every day for YouTube’s luminaries, a bustling industry of influencer payouts.
Clicking the link to download the product, though, takes the creator to a malware landing site instead of the real deal. In some cases the hackers impersonated known quantities like Cisco VPN and Steam games, or pretended to be media outlets focused on COVID-19. Google says it has found over 1,000 domains to date that were purpose-built for infecting unwitting YouTubers. And that only hints at the scale. The company also found 15,000 email accounts associated with the attackers behind the scheme. The attacks don’t appear to have been the work of a single entity; rather, Google says, various hackers advertised account takeover services on Russian-language forums.
Once a YouTuber inadvertently downloads the malicious software, it grabs specific cookies from their browser. These “session cookies” confirm that the user has successfully logged in to their account. A hacker can upload those stolen cookies to a malicious server, letting them pose as the already authenticated victim. Session cookies are especially valuable to attackers because they eliminate the need to go through any part of the login process. Who needs credentials to sneak into the Death Star detention center when you can just borrow a stormtrooper’s armor?
“Additional security mechanisms like two-factor authentication can present considerable obstacles to attackers,” says Jason Polakis, a computer scientist at the University of Illinois, Chicago, who studies cookie theft techniques. “That renders browser cookies an extremely valuable resource for them, as they can avoid the additional security checks and defenses that are triggered during the login process.”
Such “pass-the-cookie” techniques have been around for more than a decade, but they’re still effective. In these campaigns, Google says it observed hackers using about a dozen different off-the-shelf and open source malware tools to steal browser cookies from victims’ devices. Many of these hacking tools could also steal passwords.
“Account hijacking attacks remain a rampant threat, because attackers can leverage compromised accounts in a plethora of ways,” Polakis says. “Attackers can use compromised email accounts to propagate scams and phishing campaigns or can even use stolen session cookies to drain the funds from a victim’s financial accounts.”
Google wouldn’t confirm which specific incidents were tied to the cookie-theft spree. But a notable surge in takeovers occurred in August 2020, when hackers hijacked multiple accounts with hundreds of thousands of followers and changed the channel names to variations on “Elon Musk” or “Space X,” then livestreamed bitcoin giveaway scams. It’s unclear how much revenue any of them generated, but presumably these attacks have been at least moderately successful given how pervasive they became.
This type of YouTube account takeover ramped up in 2019 and 2020, and Google says it convened a number of its security teams to address the issue. Since May 2021 the company says it has caught 99.6 percent of these phishing emails on Gmail, with 1.6 million messages and 2,400 malicious files blocked, 62,000 phishing page warnings displayed, and 4,000 successful account restorations. Now Google researchers have observed attackers transitioning to targeting creators who use email providers other than Gmail—like aol.com, email.cz, seznam.cz, and post.cz—as a way of avoiding Google’s phishing detection. Attackers have also started trying to redirect their targets over to WhatsApp, Telegram, Discord, or other messaging apps to keep out of sight.
“A large number of hijacked channels were rebranded for cryptocurrency scam live-streaming,” Google TAG explains in a blog post. “The channel name, profile picture and content were all replaced with cryptocurrency branding to impersonate large tech or cryptocurrency exchange firms. The attacker live-streamed videos promising cryptocurrency giveaways in exchange for an initial contribution.”
Though two-factor authentication can’t stop these malware-based cookie thefts, it’s an important protection for other types of scams and phishing. Beginning on November 1, Google will require YouTube creators who monetize their channels to turn on two-factor for the Google account associated with their YouTube Studio or YouTube Studio Content Manager. It’s also important to heed Google’s “Safe Browsing” warnings about potentially malicious pages. And as always, be careful what you click and which attachments you download from your email.
The advice for YouTube viewers is even simpler: If your favorite channel is pushing a cryptocurrency deal that seems too good to be true, give it some Dramatic Chipmunk side eye and move on.
This story originally appeared on wired.com.