(Photo Illustration by Jakub Porzycki/NurPhoto via Getty Images)
A group of hackers has been using fake advertising deals sent via email to trick YouTube creators into installing malware onto their computers, according to Google.
The goal is to steal account access for popular YouTube channels and then promote cryptocurrency scams on them, Google security researchers wrote in a report on Wednesday.
The attack exploits how YouTube creators often place a contact email address in their channel to solicit advertising deals. The hackers will craft a phishing email impersonating an existing company. The email will then inquire about advertising opportunities to promote a product such as a VPN, antivirus software, a music player, an online game, or a photo-editing app.
Google provided an example of one of the phishing emails, and it shows the hackers will ask the YouTube creator to try out the product. In reality, the product is a ploy to trick the victim into installing malware onto their computer.
“Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links,” the company said.
The hackers also registered over 15,000 user accounts and 1,000 internet domains to impersonate various companies, such as Cisco, photo-editing company Luminar, and game developers on Steam. “During the pandemic, we also uncovered attackers posing as news providers with a ‘Covid19 news software,’” Google says.
The company also examined the malware used to infect the computers, and found it's designed to steal user passwords and browser cookies, which can also contain login credentials. The malware then sends the stolen data to the hacker’s command-and-control servers.
Once a YouTube account is hijacked, the hackers might then sell it to the highest bidder for up to $4,000. Or they could rebrand the YouTube channel into running cryptocurrency giveaways scams, which try to entice viewers to send Bitcoin to a digital wallet with the promise of a larger payout. In reality, victims get nothing.
“The channel name, profile picture and content were all replaced with cryptocurrency branding to impersonate large tech or cryptocurrency exchange firms,” Google adds.
Google security researchers followed the scam back to a Russian-speaking internet forum, where the hackers were likely recruited to carry out the phishing attacks. In exchange, hackers were promised a cut of the profits.
“This recruitment model explains the highly customized social engineering, as well as the varied malware types given each actor's choice of preferred malware,” Google says, noting that multiple malware strains were used in the attacks.
In response, Google says it managed to decrease the Gmail-based phishing emails from the hackers by 99.6% since May 2021. "With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com)," the report adds.
To protect yourself, Google is advising users to turn on two-factor authentication on their accounts. It’s also a good idea to run an antivirus scan on unknown software before you install it. Others, including Apple co-founder Steve Wozniak, took the extreme measure of suing Google for failing to take down Bitcoin video scams that exploited his image to defraud victims. But reportedly, a US judge rejected the lawsuit because under federal law, YouTube is not liable for its users' content.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
