When it comes to credential theft and account takeover, you might think that cybercriminals are somewhat indifferent to the hacked account. This is true to some extent. Some accounts are more valuable than others, email account can hold keys of different kingdoms for example, but any account hack is a win. When specialization is a factor and profitable at that, it is within the various online forums where malware is sold to attack certain types of accounts.
When the accounts in question are for YouTube creators, given the number of eyes they can catch, they grab my attention. Especially when it’s in a state that YTStealer can effectively bypass 2FA protection. With YTStealer being sold as a service to cybercriminals, it should come as no surprise that security researchers have discovered fully automated YTStealer attacks in progress with compromised accounts already being sold on the dark web.
According to a report by automated security information provider Intezer, YTStealer is “a malware that aims to steal YouTube authentication cookies.“The entire credential harvesting tool is focused on controlling YouTube creator accounts, whether they are lineage ‘influencers’ or the little fish in the incredibly massive sea of content creation. Once that account is hacked as a credential-harvesting malware, it’s up to you. What to do with them: High-value accounts can be sold at a profit or hacked in order to send spam or spread more malware.
How does the YTStealer attack work?
Then the Intezer report discovered that game mods and trainers, or cheats if you prefer, were one of the target groups where YTStealer was dropped under the guise of an installer or a native app. These included various hacks for Counter-Strike Go, Call of Duty, and Roblox. Unsurprisingly, audio and video editing was another matter, with dummy installers for the likes of Adobe Premiere Pro and Ableton Live 11 Suite among them. There have also been other targeted distribution methods including security tools, antivirus (Norton and Malwarebytes), and “cracked” software such as Spotify Premium.
Bleeping Computer reports that sandbox scans run before YTStealer runs the installer, in addition to verifying that the system is a valid malware target. If everything gets the go-ahead, at this point YTStealer will scan the browser’s SQL database files to determine YouTube auth codes.“If validated, the malware will harvest channel names, subscriber counts, and monetization status. The web automation tool is used so that the threat actor does not need to perform any manual intervention. Perhaps of most concern, though, Bleeping Computer reported Also that “even if their accounts are secured with multi-factor authentication, authentication tokens will bypass the MFA and allow threat actors to log into their accounts.”
How can you protect yourself from a YTStealer YouTube account takeover attack?
Intezer advises YouTube creators, or any user for that matter, to practice good basic security rules and to “use software from trusted sources only.”
Meanwhile, Bleeping Computer adds that periodic logging out of YouTube accounts will invalidate or steal previously generated authentication codes.
I’ve reached out to Google/YouTube for a statement and will update this article if it becomes available.