YouTube Creators Threatened by Cookie Theft Malware

YouTubers are the biggest victims of the Cookie theft malware. The people behind it try to attract potential targets by luring them with fake collaboration opportunities and eventually hijack the target’s channel. Later, they sell the channel to the highest bidder or use it for cryptocurrency scams. 

Google collaborated with Gmail, CyberCrime Investigation group, Trust and Safety, and Safe Browsing teams to decrease the phishing emails on Gmail by 99% in May 2021. With this increased protection, the attackers shifted the routine from Gmail to other email service providers. Cookie theft involves a technique through which access to the user’s account is enabled through session cookies stored in the browser. 

Many YouTube creators mention email addresses on their channels for future business opportunities. Attackers get the email address from the target channel and send a forged business mail to existing companies, where they request the owner of the target channel for video collaboration. Later, they introduce fake products or services of the company to the target. When the target channel agrees to a collaboration, a malware page containing the malicious link, disguised in the form of software is sent to the target via email or PDF on Google Drive. 

The attackers create fake domains in the name of existing companies and build multiple websites for their malware. One thousand one hundred fake domains have been identified solely created for this particular purpose. Many of these are completely impersonated software sites like Cisco VPN, games on Steam, Luminar, and others. Attackers tend to use Google, Telegram, Whatsapp, or even Discord. 

When the target runs the software, the executed malware steals cookies from the victim’s browser. It then uploads the stolen cookies to one’s control servers. The malicious file is difficult to detect when the target executes it as it falls on the side of security notifications for the user of any kind of compromise happening. Some of the most used malware are Vidar, RedLine, Raccoon, Grand Stealer, Masad, or Kantal. This malware is capable of stealing the user’s password and cookies from the browser. 

Owing to the above reasons, YouTube made the channel transfer protocols more stringent. It can auto recover about 99% of the hijacked channels. Service providers can now notify users proactively when a potential sensitive action from a third party is discovered.