Google TAG has published details about a group of hackers who are targeting YouTubers in financially motivated phishing campaigns.
A group of hired hackers has been targeting YouTube creators with fake business collaboration opportunities. They have been using forged business emails to hijack channels since 2019.
Once hijacked, these accounts are either sold to the highest bidder or used to broadcast cryptocurrency giveaway scams.
Google has identified around 15,000 accounts specifically created for this campaign.
At least 1,011 domains are impersonating legitimate software sites such as Cisco VPN, Luminar, games on Steam, and COVID-19-related software.
Tactics, techniques, and procedures
Hackers are using various tactics for targeting YouTubers so that they can make a profit of it depending on the number of subscribers.
Attackers were observed using social engineering tactics such as sending forged business emails impersonating an existing company requesting a video advertisement collaboration.
In addition to this, they were found distributing customized phishing emails via messaging apps, such as WhatsApp, Telegram, and Discord, to avoid detection.
They used various types of commodity malware such as Azorult, Predator The Thief, RedLine, Raccoon, and Vidar.
In addition, they have used open-source malware such as AdamantiumThief and Sorano. These commodity malware and open-source malware had both password and cookie stealing capabilities and anti-sandboxing techniques.
Google has already taken strong action by blocking messages to targets, displaying warnings, restoring accounts, and informing the FBI for further investigation. Still, YouTube users are recommended to be aware of these types of threats and take appropriate action to further protect themselves.