Google Unmasks Two-year-old Phishing and Malware Campaign Targeting YouTube Users

Almost two years after a wave of complaints flooded Google's support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Google's security team has finally tracked down the root cause of these attacks. From a report: In a report published today, the Google Threat Analysis Group (TAG) attributed these incidents to "a group of hackers recruited in a Russian-speaking forum." TAG said the hackers operated by reaching out to victims via email with various types of business opportunities. YouTubers were typically lured with potential sponsorship deals. Victims were asked to install and test various applications and then publish a review. Apps typically used in these schemes involved antivirus software, VPN clients, music players, photo editors, PC optimizers, or online games.

But unbeknownst to the targets, the hackers hid malware inside the apps. Once the YouTube creators received and installed the demo app, the installer would drop malware on their devices, malware which would extract login credentials and authentication cookies from their browsers and send the stolen data to a remote server. The hackers would then use the authentication cookies to access a YouTuber's account -- bypassing the need to enter a two-factor authentication (2FA) token -- and move to change passwords and the account's recovery email and phone numbers. With the victims locked out of their accounts, the hackers would typically sell the hijacked YouTube channel on underground marketplaces for stolen identities.

Two years old?

[ItsJustAPseudonym]

I would have thought the phishing and malware campaign was about 15 years old [wikipedia.org].

Re:

[shanen]

Exactly what I was thinking, but the spammed scam campaign I was thinking about is based on "free" movies and TV shows they will "give" (= steal for you) after you install their special player (= zombot controller) software. It doesn't sound like it matches this story, but I'm optimistic that the same people were involved, so maybe one campaign burst will take the other one down, too.

The premise of YouTube is a scam. Evil and perhaps even the seed of evil that infected the entire google as it transitioned t

THIS took them two years?

[kunwon1]

As described in the summary, this sounds like an elementary spear phishing campaign. 'Google takes two years to perform basic reconnaisance and identify the problem' would be a better headline

Re:

[ScwB]

In fairness, they had to identify what the Youtubers themselves were doing, and piece together which of their, presumably, many "reviews" were connected and actually contained malware. A better headline still would be, "Youtubers fall for phishing campaign, blame Google".

Re:

[Opportunist]

It's kinda hard to find this kind of campaign if you're not the target. The target was someone using their resources, Unless some of those YouTubers start complaining with YouTube, how would YT even know about it?

Re:

[AmiMoJo]

If you read TFA you can see that the malware was only given to specific users, so it would have been difficult for Google to get samples for analysis. Most of these incidents were probably not even linked to the malware initially, the victim just reported having their account hijacked and went through the recovery procedure.

Russians bypassed gmail 2FA ?

[takionya]

“The hackers would then use the authentication cookies to access a YouTuber's account -- bypassing the need to enter a two-factor authentication (2FA) token”

What use is 2FA if it can be bypassed using authentication cookies. Unless this is a built-in feature to allow a certain three-letter-agency access to your gmail account.

Besides which, since GMS msgs can be diverted, the above "Russian" hack is totally specious.

Surveillance Backdoor Enabled Chinese Gmail Attack? [slashdot.org]

Re:

[tlhIngan]

What use is 2FA if it can be bypassed using authentication cookies. Unless this is a built-in feature to allow a certain three-letter-agency access to your gmail account.

Authentication cookies help with programmatic access to YouTube.

For example, there are plenty of tools and services that will take a video and upload it to YouTube and other services. Those services need access to your YouTube account, so either you pass them your password, or you give them an API key that lets them bypass the authenticatio

Re:

[AmiMoJo]

Apps are supposed to use OAUTH, not cookies. It's possible to create app passwords on your Google account, but those don't use cookies either and require log in for every session.

It's only browsers that use cookies, and they are taking ever increasing steps to locally protect them from malware, such as encryption and using secure storage on platforms that support it. Chrome and I think Firefox both do that for your saved passwords too.

Re:

[Opportunist]

It has neither anything to do with sloppy security nor with some CIA conspiracy, it's simply how the security crutch in webpages work.

Yes, I say crutch. Security is an afterthought in webpages. And it shows.

Re:

[martinX]

What use is 2FA if it can be bypassed using authentication cookies. Unless this is a built-in feature to allow a certain three-letter-agency access to your gmail account.
Surveillance Backdoor Enabled Chinese Gmail Attack? [slashdot.org]

The KGB?

Re:

[AmiMoJo]

To get the cookies they have to have already p0wned your computer, so you are probably screwed anyway. 2FA protects you if your computer isn't already under the control of some attacker.

Re:

[Opportunist]

With that kind of attitude, I wouldn't want you as a user either.

If you're more hassle than you're worth, I'm better off without you as a client, sorry, product.