Hackers are stealing cookies to get access to popular YouTube channels

According to a recent study from Google’s Threat Analysis Group (TAG), YouTube has been the subject of cookie stealing malware phishing operations with financial motives. A gang of hackers recruited from a Russian-speaking forum is believed to be responsible for the intrusion.


As per the information that has been revealed, the hackers-for-hire have been compromising YouTube channels since at least the end of 2019. The malicious actors have been using phony collaboration possibilities to broadcast cryptocurrency scams or sell the users’ accounts for a profit.

User accounts with session cookies saved in the browser may be hijacked via the so-called “pass-the-cookie attack”. This technique has been around from many years, but the use of multi-factor authentication (MFA) is making it harder for hackers to exploit accounts and moving the attacker emphasis to social engineering techniques.

After a social engineering operation hijacked almost 4,000 YouTube influencer accounts in May, Google said it had banned 1.6 million messages and restored these accounts, with some of the stolen channels trading for as much as $4,000 in hacker platforms, depending on the number of subscribers.

Other hijacked channels had their names, profile pictures, and content changed to impersonate major tech or cryptocurrency exchange companies in order to conduct live-streamed bitcoin giveaway scams in exchange for an initial donation.

As part of the attacks, malicious links were sent to YouTube channel owners in the disguise of video advertisement collaborations for anti-virus software or VPN clients. The malicious links would redirect the recipients to malware landing pages that impersonated legitimate software sites such as Luminar and Cisco VPN, or pretended to be media outlets covering COVID-19-related news.

Google found 1,011 domains that were specifically designed to deliver the fraudulent software specialized in executing cookie-stealing malware designed to extract passwords and authentication cookies from victims’ machines before uploading them to the command-and-control servers of the threat actors.

Forcing a YouTube creator’s password and account recovery email and phone number to be changed would be the hackers’ next move, and they’d utilize session cookies to bypass two-factor authentication (2FA).

Google’s actions led to a change in the hackers strategy which shifted to driving targets to messaging applications like WhatsApp, Telegram, and Discord in an effort to bypass Gmail’s phishing protections. The crooks have also been spotted  switching to other email providers like aol.com, email.cz, seznam.cz, and postcz.

A two-factor authentication system is strongly recommended for users to protect against account takeover attempts.

About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment