IntSights experts discoveredthat recently in the darknet there has been an increase in interest in credentials from YouTube channels, and also, as a "side effect", this stimulates data verification activities. On hacker forums and sites that trade in credentials, you can find more and more offers of this kind.
It should be noted that cybercriminals have long been interested in YouTube, because the site provides them with a new audience that can be used in a variety of ways, from fraud to advertising. In addition, attackers often “steal” popular channels from their rightful owners, and then demand a ransom for the return of access.
Data on YouTube channels is mainly collected from computers infected with malware, as a result of phishing campaigns and so on. After the stolen information is sorted into specific logins and passwords from certain services, and then sold on the black market.
The cost of listings for sale with recorded data from YouTube channels is proportional to the number of subscribers. Researchers give some examples. So, in one case, the price for a channel with 200,000 subscribers began at $ 1,000 and increased in increments of $ 200.
In another case, the researchers found an auction advertisement, in which they sold data from 990,000 active channels, and the price started at $ 1,500 (the one who paid $ 2,500 received a list without bidding). Obviously, the seller was hoping to make money quickly by selling the data, as he was afraid that his victims would notice compromise, turn to support and regain access to their accounts.
Another set of 687 YouTube accounts, sorted by the number of subscribers, was put up for sale at an initial price of $ 400 (the price increased in increments of $ 100, and for $ 5,000 a lot could be withdrawn immediately).
IntSights experts believe that hackers are likely to collect material for such lists with credentials from YouTube channels, checking databases with stolen logins and passwords (in search of data from Google accounts) and data received from infected computers.
IntSights experts write that in the past, attackers used sophisticated phishing campaigns and reverse proxy toolkits to spoof Google’s two-factor authentication. Now sellers rarely mention 2FA in general, and most likely this suggests that the hijacked accounts were not protected by two-factor authentication.
Edition Bleeping computer notes that users affected by hacking and hijacking of an account on YouTube often complain that they tricked them into downloading the malware. For example, in the network you can find such complaints:
“They pretended to be YouTube sponsors, and when I tried to access their site, a keylogger / spyware was uploaded to my browser. For a maximum of a couple of minutes, they changed my password, deleted my devices, deleted my phone number and email used for recovery. Then they tried to extort money from me, they wanted me to send them BTC, or they will sell my channel. ”
Another scam victim tells similar storywhen scammers pretended to be looking for people to collaborate with.