[ad_1]
Google’s Menace Evaluation Group (TAG) at present disclosed the main points of a financially motivated phishing marketing campaign that has focused YouTube creators with “cookie theft” malware, and which it has been disrupting, since 2019.
Cookie theft, which TAG additionally describes as a “pass-the-cookie” assault, is a session hijacking tactic that offers an attacker entry to consumer accounts with session cookies saved within the browser. It is a approach that has been round for years, TAG says. Its resurgence could also be linked to wider adoption of multifactor authentication prompting criminals to deal with social engineering.
The attackers are attributed to a gaggle of actors recruited in a Russian-speaking discussion board, TAG wrote in a weblog publish. They normally lure targets with an e mail about an promoting collaboration alternative; for instance, a demo for antivirus software program, VPN, music gamers, photograph enhancing, or on-line video games. Many YouTube creators put their e mail deal with on their channel, TAG famous.
When the sufferer agrees to a deal, the attackers ship a malware touchdown web page disguised as a software program obtain URL through e mail or a PDF on Google Drive. Researchers report the attackers registered numerous domains related to pretend firms and constructed a number of web sites to ship malware. They’ve recognized a minimum of 1,011 domains created for this function thus far.
As soon as the pretend software program is run, it executes a cookie-stealing malware, takes browser cookies from the sufferer’s machine, and uploads them to the attackers’ command-and-control servers. A lot of the malware might steal each consumer passwords and cookies, researchers famous. Some used anti-sandboxing methods comparable to enlarged information, encrypted archive, and IP cloaking.
Some hijacked accounts had been offered on account-trading markets, the place they went for $3 to $4,000 USD relying on the subscriber rely. Many had been rebranded for cryptocurrency rip-off livestreaming, by which the channel title, profile image, and content material had been changed with cryptocurrency branding to spoof massive tech or cryptocurrency alternate corporations. Attackers livestreamed movies promising cryptocurrency giveaways in alternate for an preliminary contribution.
Learn extra particulars right here.
[ad_2]