Since at least 2019, hackers have been hijacking high-profile YouTube channels. Sometimes they broadcast cryptocurrency scams, sometimes they simply auction off access to the account. Now, Google has detailed the technique that hackers-for-hire used to compromise thousands of YouTube creators in just the past couple of years.
Cryptocurrency scams and account takeovers themselves aren’t a rarity; look no further than last fall’s Twitter hack for an example of that chaos at scale. But the sustained assault against YouTube accounts stands out both for its breadth and for the methods hackers used, an old maneuver that’s nonetheless incredibly tricky to defend against.
It all starts with a phish. Attackers send YouTube creators an email that appears to be from a real service—like a VPN, photo editing app, or antivirus offering—and offer to collaborate. They propose a standard promotional arrangement: Show our product to your viewers and we’ll pay you a fee. It’s the kind of transaction that happens every day for YouTube’s luminaries, a bustling industry of influencer payouts.
Clicking the link to download the product, though, takes the creator to a malware landing site instead of the real deal. In some cases the hackers impersonated known quantities like Cisco VPN and Steam games, or pretended to be media outlets focused on Covid-19. Google says it’s found over 1,000 domains to date that were purpose-built for infecting unwitting YouTubers. And that only hints at the scale. The company also found 15,000 email accounts associated with the attackers behind the scheme. The attacks don’t appear to have been the work of a single entity; rather, Google says, various hackers advertised account takeover services on Russian-language forums.
Once a YouTuber inadvertently downloads the malicious software, it grabs specific cookies from their browser. These “session cookies” confirm that the user has successfully logged into their account. A hacker can upload those stolen cookies to a malicious server, letting them pose as the already authenticated victim. Session cookies are especially valuable to attackers because they eliminate the need to go through any part of the login process. Who needs credentials to sneak into the Death Star detention center when you can just borrow a stormtrooper’s armor?
“Additional security mechanisms like two-factor authentication can present considerable obstacles to attackers,” says Jason Polakis, a computer scientist at the University of Illinois, Chicago, who studies cookie theft techniques. “That renders browser cookies an extremely valuable resource for them, as they can avoid the additional security checks and defenses that are triggered during the login process.”
Such “pass-the-cookie” techniques have been around for more than a decade, but they’re still effective. In these campaigns, Google says it observed hackers using about a dozen different off-the-shelf and open source malware tools to steal browser cookies from victims’ devices. Many of these hacking tools could also steal passwords.
“Account hijacking attacks remain a rampant threat, because attackers can leverage compromised accounts in a plethora of ways,” Polakis says. “Attackers can use compromised email accounts to propagate scams and phishing campaigns, or can even use stolen session cookies to drain the funds from a victim’s financial accounts.”