Bitdefender has released new research, revealing a sudden increase in attacks known as stream-jacking. These are apparently targeted against popular, high-profile streaming services (YouTube above all) and tend to distribute links that lead to malicious downloads.
The consequences of downloading malware lead to several unwanted effects, resulting in the theft of sensitive data, but also to cryptocurrency theft. Researchers have found that cybercriminals target accounts with a high number of followers to spread fraudulent messages to large audiences. They incorporate suspicious popups of live streaming on YouTube, in user feedsand they promote their shows with the intention of claiming as many victims as possible.
YouTube channels with a large following are also particularly desirable, as cybercriminals can easily monetize them after hacking operations by demanding a ransom from the owner. These channels can also be owned by top-tier brands such as Teslawith millions of followers and billions of views.
YouTube fraud is a serious problem. In 2020, the co-founder of Apple Steve Wozniak sued YouTube over scams Bitcoin occurred on the platform, perpetrated using his name. Wozniak blamed YouTube and Google of having allowed fraud by failing to take action against them.
Per Bitdefender “Observing such a large-scale operation made us wonder about the channels behind these scams, and upon closer examination, we noticed that most of the YouTube channels were, in fact, hijacked/stolen“.
Stream-jacking strategies implemented by cybercriminals
The modus operandi is generally the same when it comes to attacks phishing. Cyber criminals send emails presenting opportunities for the owner, such as brand collaborations or sponsorship deals.
Sometimes they can send fake copyright notices from YouTube to the owner. This email, conceived as a legitimate message, encourages the recipient to download a malicious document presented as essential for collaboration. Usually it is a file PDF that contains malware Redline or others info-stealer. It is a large files (over 300 MB) and can easily bypass most standard security mechanisms.
When opened, within 30 seconds, the malicious agent starts collecting vital data from your computer, including token e cookie. With this information the attacker can directly access the YouTube channel, even if the user has activated themulti-factor authentication. After gaining control of the account, the attackers rebroadcast or re-upload the content after embedding a scam.
Most of the content on compromised channels are live streaming scams, they are made private or deleted by the attacker. Cybercriminals also modify channel descriptions according to their needs, to attract more and more viewers.
