Google’s Threat Analysis Group has released a report documenting and warning against a prevalent “cookie theft” phishing and malware campaign. For several years, malicious actors have been using it as a way to hijack thousands of YouTube channels. Google states that it’s been combating the problem since late 2019 and cautions against suspicious offers for collaboration. The attackers send phishing emails about antivirus software, VPN, online games, and so on, then link to or include a download for cookie-stealing malware. Typically the emails attempt to impersonate a relevant company, then direct targets to fake (but official-looking) websites. Sites for games on Steam, companies like Luminar and Cisco VPN, and even Instagram pages have been falsified. Once activated, the malware copies and uploads the victim’s browser cookies, giving attackers a way to impersonate them and take over. At that point, they either try to sell the channel (with prices ranging anywhere from $3 to $4,000), or they rebrand it to impersonate a tech or cryptocurrency exchange firm. From there, they livestream fraudulent cryptocurrency giveaways and ask for contributions. While Google states it’s been able to protect users from most of these phishing attempts or has restored compromised accounts, it also offers up some advice: Don’t ignore browser safety warnings, always perform virus scans, use two-step authentication, and look out for encrypted archives (which can avoid virus scans). Google says double-checking the email addresses of these contacts is also a good idea, as they can usually be a decent giveaway. Big companies often have their own domain names and won’t use services like email.cz, seznam.cz, post.cz, or aol.com for official business.
