Illustration by Alex Castro / The Verge
Google put out a report detailing a phishing campaign directed at YouTubers, which involved around 15,000 fake accounts and over a million messages to targets. The phishing attempts were carried out by multiple hackers, and the company says it’s recovered around 4,000 accounts since late 2019. The attackers weren’t just trying to get the creators to put their password into a fake website, though — they were trying to infect their computer with malware that would steal their login cookies, which is a much more intensive attack than sending a link and waiting for someone to get sloppy with their passwords.
YouTube doesn’t publicly say who was recruiting the hackers, only that they were using Russian-language forums to advertise. The campaign’s focus on YouTube accounts, instead of traditional targets like government computer systems or banks, shows how valuable gaining access to influencers’ social accounts and audiences’ attention can be.
An example of the advertisements posted to forums trying to recruit hackers to phish YouTubers.
The hack generally worked like this: hackers reached out to the YouTubers, pretending to offer ad deals promoting a VPN, antivirus program, or other software on their channel. If the creator agreed, they got a link that, if clicked, would infect their computer using a variety of malware programs, usually designed to steal cookies and passwords.
Because of the prevalence of two-factor authentication (whether through prompts, codes, or hardware keys), the cookies may have been an especially valuable target — hackers were looking at the ones that websites use to store a user’s log-in session (these files are the reason you don’t have to re-enter your password every time you visit a site).
If the hackers got the YouTuber’s cookie (and were able to use it before it expired) they may have been able to take over the channel, and potentially even change passwords to lock the rightful owners out. Of course, since YouTube accounts are tied to Google accounts, these kinds of attacks also gave hackers access to Gmail, Google Drive, Photos, and other services that were tied to that account.
According to Google, after all that work, hackers were able to sell the accounts for anywhere from $3 to $4,000. While that feels relatively cheap to get a YouTube account with a good number of subscribers, the numbers may be so low because the hackers wanted to hang on to accounts that they thought could really pull in money — last year, tech leaker Jon Prosser told Motherboard that hackers were able to make $10,000 by livestreaming a scam on his channel, promising to double any Bitcoins viewers sent in.
This campaign, and ones like it, could be a motivating factor in why Google announced earlier this year that YouTube creators would be required to turn on two-step verification (which makes having both a password and something like a phone or security key a requirement for logging in), and why it’s giving away thousands of security keys to “high risk users” on an annual basis. They don’t stop hackers who’ve taken over your computer, but making the attacks more expensive might help slow them down.
Google’s also been fighting the hackers in other ways, blocking their emails and files, as well as warning users when they’re visiting a malicious website in Chrome. But given the value that creators’ accounts have, criminals probably won’t be dissuaded from trying to get them — like the scam comments that show up all across YouTube, ever-evolving phishing attacks will likely be a part of life online for the foreseeable future.