When it comes to credential theft and account takeover, you might think that cybercriminals don’t really care which account is compromised. That’s true to a certain extent. Some accounts are more valuable than others, for example an email account can hold the keys to different kingdoms, but any account hack is an asset. Where specialization is a factor, and a profitable one at that, is in the various online forums that sell malware designed to attack specific account types.
If the accounts in question are those of YouTube creators, it gets my attention given the number of eyes these can draw. Especially if YTStealer can bypass 2FA protection effectively. Since YTStealer is sold as a service to cybercriminals, it should come as no surprise that security researchers have discovered fully automated YTStealer attacks where compromised accounts are already being sold on the dark web.
According to a report by automated security intelligence provider Intezer, YTStealer is “malware that aims to steal YouTube authentication cookies”. A credential harvester solely focused on gaining control of YouTube creator accounts, be they “influencer” followers or small fish in this impossibly large sea of content creation. Once this account compromise service malware collects the credentials, it’s up to the customer what to do with them: high-value accounts could be sold for profit or compromised to send spam or spread more malware.
How does a YTStealer attack work?
Then the Intezer report discovered that game mods and trainers, or cheats if you prefer, were one of the target audiences where YTStealer was dropped under the guise of an installer or a genuine application. This included various hacks for Counter-Strike Go, Call of Duty, and Roblox. Unsurprisingly, audio and video editing was another, including fake installers for Adobe Premiere Pro and Ableton Live 11 Suite. There were other targeted distribution routes as well, including security and antivirus tools (Norton and Malwarebytes) and ‘cracked’ software like Spotify Premium.
Bleeping Computer reported that sandbox checks are performed before YTStealer runs the installer and verify that the system is a valid target for the malware. At this stage, if everything gets the green light, YTStealer “examines the browser’s SQL database files to find YouTube authentication tokens.” If validated, the malware collects channel names, subscriber counts, and monetization status. A web automation program is used, so the target attacker does not have to do any manual intervention. Perhaps most concerning, however, is that Bleeping Computer also reported that “even if their accounts are secure with multi-factor authentication, the authentication tokens bypass MFA and allow the attackers to log into their accounts.”
How to protect yourself from YTStealer YouTube account takeover attack?
Intezer advises YouTube creators or other users to practice good basic security hygiene and “only use software from trusted sources.”
Bleeping Computer, meanwhile, adds that regularly logging out of YouTube accounts is designed to invalidate previously created or stolen authentication tokens.
I’ve reached out to Google/YouTube for comment and will update this article if one comes up.