Written by Tonya Riley

Scammers have been targeting YouTube creators with fake content collaboration offers in order to steal their accounts, according to a Google Threat Analysis Group report published Wednesday.

Google began tracking and disrupting the campaign in late 2019.  Approximately 4,000 YouTube channels stolen as part of the campaign have been recovered since May, according to the report. YouTube has struggled with outsiders taking over channels to spread cryptocurrency scams before, as fraudsters took over several high-traffic channels in August 2020 themed around the launch of SpaceX’s first spaceflight with NASA.

As a part of the latest phishing campaign, scammers sent emails to creators offering collaborations. Once the creator agreed, the scammer sent them a link to malicious software that appeared to be a legitimate URL. Attackers created more than 1,000 websites to help spread the ruse, including some that impersonated real companies including a Cisco virtual private network and the gaming service Steam. One of the websites posed as a “Covid19 news software.”

Once downloaded, the malware stole user passwords or session cookies that allowed the hacker to access the account in question. Scammers then flipped the account to impersonate technology or cryptocurrency firms and live-streamed videos promising a chance at a cryptocurrency giveaway in exchange for an initial buy-in. Other accounts were sold by the scammers for anywhere from $3 to $4,000.

The fraud tactic has become a serious issue for consumer watchdogs. The Federal Trade Commission in March reported a significant increase in cryptocurrency investment scams over the past year with victims reporting nearly $80 million in losses between October 2020 and March 2021 alone. One of the most popular tactics by scammers was throwing fake giveaways on social media platforms. Victims are often unable to recoup losses from these scams, an issue that has attracted attention from lawmakers including Sen. Elizabeth Warren, D-Mass.

Scammers have also gone after high-profile Twitter accounts to spread similar scams. In 2020 a group led by a Florida teenager orchestrated a breach of roughly 130 Twitter accounts, including some belonging to high profile users like Barack Obama and Bill Gates, to urge users to send bitcoin to a scam address.

Google found job listings on Russian-speaking forums recruiting hackers for the campaigns, offering hackers between 25 to 70 percent of the revenue from the hijacked chanel depending on their level of involvement. Thieves used a variety of malicious software largely available on GitHub, according to the research report. Google has not attributed the campaign to a specific threat group.

The main technique used by the scammers, known as a “pass-the-cookie” attack has become increasingly popular for hackers trying to avoid multi-factor authentication protections.  The Cybersecurity and Infrastructure Security Agency in January issued a warning about an uptick in successful attacks against cloud services using the method.