Google’s Threat Analysis Group (TAG) on Wednesday disclosed details of how hackers used “cookie theft malware” to target YouTube creators in the last two years, as part of a cryptocurrency scam effort.

In a blog post published on Wednesday, Google says since 2019 their team has disrupted financially motivated phishing campaigns targeting YouTubers with cookie theft malware.

According to Google’s TAG, the actors behind this campaign are a group of hackers recruited in a Russian-speaking forum, who have been luring their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijacking their channel, then either selling it to the highest bidder or using it to broadcast cryptocurrency scams.

Cookie theft, which TAG also labels as a “pass-the-cookie” attack,  is a session hijacking technique that enables access to user accounts with session cookies stored in the browser.

TAG says that although the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics.

When the victim agrees to a deal, the hackers send a malware landing page disguised as a software download URL via email or a PDF on Google Drive. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically.

The attackers registered various domains associated with forged companies and built multiple websites for malware delivery. The company has identified at least 1,011 domains created solely for this purpose so far.

Some of the websites impersonated legitimate software sites, such as Luminar, Cisco VPN, games on Steam, and some were generated using online templates. During the pandemic, it also uncovered attackers posing as news providers with a “Covid19 news software.”

Once the target runs the fake software, a cookie stealing malware executes, taking browser cookies from the victim’s machine and uploading them to the actor’s command & control servers.

Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking. A few were observed displaying a fake error message requiring user click-through to continue execution.

A large number of hijacked channels were rebranded for cryptocurrency scam live-streaming. The channel name, profile picture and content were all replaced with cryptocurrency branding to impersonate large tech or cryptocurrency exchange firms. The attacker live-streamed videos promising cryptocurrency giveaways in exchange for an initial contribution.

Depending on the number of subscribers, hijacked channels ranged from $3 USD to $4,000 USD on account-trading markets.

In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group and Safe Browsing teams, Google’s protections have decreased the volume of related phishing emails on Gmail by 99.6% since May 2021.

The TAG team has blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts.

“With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com),” said Ashley Shen with Google’s TAG. Moreover, to protect its users, Google has also shared the findings to the FBI for further investigation.

Google has also recommended its users to protect themselves from such threats by protecting their accounts with 2-Step-verification (multi-factor authentication), performing virus scanning before running software, etc.