Google has blocked around 1.6 million phishing emails that were part of a malware campaign aimed at stealing YouTube accounts and promoting cryptocurrency schemes since May 2021.
According to Google's Threat Analysis Group, in collaboration with YouTube, Gmail, Trust and Safety, CyberCrime Investigation Group and Safe Browsing teams, Google's protections have decreased the volume of related phishing emails on Gmail by 99.6 per cent.
“We blocked 1.6M messages to targets, displayed 62K Safe Browsing phishing page warnings, blocked 2.4K files and successfully restored 4K accounts. With increased detection efforts, we have observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com),” Google said in a blog post.
The group tracks actors involved in disinformation campaigns, government-backed hacking, and financially motivated abuse. “Since late 2019, our team has disrupted financially motivated phishing campaigns targeting YouTubers with Cookie Theft malware,” the company said.
“The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for antivirus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams,” it added.
Google shared examples of the specific tactics, techniques, and procedures (TTPs) used to lure victims, as well as some guidance on how users can further protect themselves. Cookie Theft, also known as “pass-the-cookie attack,” is a session hijacking technique that enables access to user accounts with session cookies stored in the browser.
While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multifactor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics, the company said.
“We blocked 1.6M messages to targets, displayed 62K Safe Browsing phishing page warnings, blocked 2.4K files and successfully restored 4K accounts. With increased detection efforts, we have observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com),” Google said in a blog post.
The group tracks actors involved in disinformation campaigns, government-backed hacking, and financially motivated abuse. “Since late 2019, our team has disrupted financially motivated phishing campaigns targeting YouTubers with Cookie Theft malware,” the company said.
“The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for antivirus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams,” it added.
Google shared examples of the specific tactics, techniques, and procedures (TTPs) used to lure victims, as well as some guidance on how users can further protect themselves. Cookie Theft, also known as “pass-the-cookie attack,” is a session hijacking technique that enables access to user accounts with session cookies stored in the browser.
While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multifactor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics, the company said.