Skip links

YouTubers fell for shady ‘sponsors’ who seized, then sold, accounts

After years of complaints from YouTubers, Google has pinpointed the root cause of a series of account hijackings: software sponsorship deals that delivered malware.

Google forums have for years witnessed pleas for help to regain control of stolen YouTube accounts, despite the owners using multi-factor authentication. Impacted influencers found themselves not just locked out of their accounts, but scrambling to stop the sale of their channels.

What did they all have in common?

“Sponsors” who suspiciously disappeared without paying out, but did stick around long enough for YouTubers take the bait.

“The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams,” wrote Ashley Shen from Google’s Threat Analysis Group on the company blog.

Once contact was established, the crims often moved away from Gmail to messaging platforms like WhatsApp, Telegram or Discord so that Google wouldn’t spot their phishing attacks or the links to nasty destinations they included.

When the targeted YouTuber downloaded the malware-embedded software required for the “collaboration,” they actually installed cookie-stealing software that attackers used to log into their channels and bypass MFA requirements. The crooks ran the malware in non-persistent mode as a smash-and-grab technique, thus avoiding detection by security products.

Most of the malware was readily available on Github and included RedLine, Vidar, Predator The Thief, Nexus Stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad, Kantal, Sorano and Adamantium Thief. The bulk of it was capable of stealing user passwords and cookies, and some had anti-sandboxing techniques inclusive of enlarged files, encrypted archives and download IP cloaking. Still others presented fake error messages requiring user click-through to continue execution.

Google identified around 15,000 accounts hijacked in this manner and 1,011 domains created just for the purpose of perpetuating the scam. The scum behind the attacks tried to pose as legit sources of software such as Cisco or Steam.

After the scammers seized control of a YouTube channel, they often sold them on account-trading markets, whereupon some stolen channels were converted into cryptocurrency scam accounts.

Shen wrote that since May 2021, Google has blocked 1.6 million messages to targets, displayed around 62,000 phishing warnings, blocked 2,400 files and restored around 4000 accounts. These actions, she claims, have seen the attackers move away from using Gmail to other less popular email providers.

Google claims it is continuing to improve detection of social engineering malware attacks that target its products, and “YouTube has hardened channel transfer workflows, detected and auto-recovered over 99% of hijacked channels”.

The blog post doesn’t explain why it decided to reveal its findings now, or when it first acted to protect YouTubers’ accounts. Nor does the ad giant discuss whether or not it made any money when channel owners lost access and the crooks took over. ®