Cookie Theft: Phishing Campaign Targets YouTube Creators

Meera Mathews
Published on
22 Nov 2021
3 min read

The number of video content creators has surged exponentially in every social media platform including YouTube during the pandemic.

The rate of cyber incidents has also increased in tandem with this surge in the number of YouTubers.

According to Google, a new phishing campaign using cookie theft malware has been discovered, which primarily targets YouTube content creators.

Since 2019, a network of hackers have been hijacking YouTube creators’ channels and luring them with collaboration opportunities to broadcast cryptocurrency scams or to sell the accounts to the highest bidder.

Cookie theft, also known as the “pass-the-cookie attack,” is a session hijacking tactic that gives an attacker access to user accounts which have stored session cookies in the browser.

It occurs when hackers steal the victim’s session ID and spoof the person’s cookie over the same network.

The two common methods to execute this attack are:

  1. By tricking a user into clicking a malicious link with a pre-set session ID

  2. By stealing the current session cookie

According to reports, the most common type of cookie theft occurs when a person accesses a secure website via an unprotected public Wi-Fi connection.

Even if the credentials are encrypted in transit, a hacker can steal the session ID and data being transferred and hijack the session.

How do YouTube creators get targeted?

Recently, YouTube creators have seen an increase in phishing campaigns targeting them. The attackers send emails offering lucrative business deals and ask for personal information or payment. They also ask for access to their YouTube accounts in order to produce a video commercial.

The attackers are also using the emails to ask for access to the creator’s webcam and microphone in order to test it and do video trimming to edit their videos. This is a serious threat as the creators are at risk of having their personal and sensitive information stolen.

Therefore, it is essential to be aware of this threat and take the proper protective measures, such as verifying the legitimacy of emails and not granting access to webcams and microphones unless you are certain of the source.

Once the target agrees to the offer, a malware landing page disguised as a software download URL is provided via email.

When a user clicks on the link, the attacker gains permission to deliver crafted malware-infected files as well as the user’s YouTube channel login cookies. Then the attackers encrypt the files, making it harder for the user to recognize their intentions. They can also hijack over the users’ YouTube account and channels even without their username or password.

According to researchers, the attackers have already exploited over 1,011 different domains connected with bogus firms for particular purposes to deliver malware.

And some of the websites which impersonated legitimate software sites were Luminar, Cisco VPN, and Steam games.

You can avoid being the target of cookie thefts by taking measures such as:

  1. Analyzing the malware detection and warnings by your antivirus software

  2. Avoid clicking on suspicious links or messages

  3. Performing virus scanning before software installation

  4. Enabling “Enhanced safe browsing protection” mode in your Chrome browser

  5. Enabling 2-step verification to your accounts

  6. By being aware of encrypted archives

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Meera Mathews
Meera Mathews
Software Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.