Security News > 2021 > October > Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts
Since at least late 2019, a network of hackers-for-hire have been hijacking the channels of YouTube creators, luring them with bogus collaboration opportunities to broadcast cryptocurrency scams or sell the accounts to the highest bidder.
"Cookie Theft, also known as 'pass-the-cookie attack,' is a session hijacking technique that enables access to user accounts with session cookies stored in the browser," TAG's Ashley Shen said.
Since May, the internet giant noted it has blocked 1.6 million messages and restored nearly 4,000 YouTube influencer accounts affected by the social engineering campaign, with some of the hijacked channels selling for anywhere between $3 to $4,000 on account-trading markets depending on the subscriber count.
Google said it found no fewer than 15,000 accounts behind the phishing messages and 1,011 domains that were purpose-built to deliver the fraudulent software responsible for executing cookie stealing malware designed to extract passwords and authentication cookies from the victim's machine and upload them to the actor's command-and-control servers.
The hackers would then use the session cookies to take control of a YouTube creator's account, effectively circumventing two-factor authentication, as well as take steps to change passwords and the account's recovery email and phone numbers.
Users are highly recommended to secure their accounts with two-factor authentication to prevent such takeover attacks.