Cookie theft, a decades-old session hijacking technique, is making a comeback as seen in a phishing campaign that Google said it has been disrupting since 2019.
Also known as a “pass-the-cookie” attack, cookie theft attacks occur when bad actors hijack victims' session cookies, which are often valid for an extended period of time even when the application is not being actively used. Researchers with Google's threat analysis group (TAG) said the financially motivated campaign has been leveraging this technique in order to target YouTube accounts.
Among other things, cybercriminals can use stolen sessions to authenticate to web applications and services - allowing them to bypass multi-factor authentication (MFA) checkpoints. With the increasing adoption of MFA across enterprises, the technique has recently been on the upswing by attackers, with the Cybersecurity and Infrastructure Security Agency (CISA) in January warning of a surge in cookie theft attacks.
“While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics,” said Ashley Shen, security engineer at Google, in a Tuesday post.
Cybercriminals first contacted YouTube creators via their business emails posted on their channels, requesting a video advertisement collaboration for a variety of products, from VPNs to online games. In one example, the attacker pretended to be a manager at a company that made an antivirus called pixprotect. In another, they pretended to be a news provider offering “Covid19 news software.”
When target YouTubers agreed to the advertisement deal, attackers sent them a malware landing page - often impersonating legitimate sites, such as games on Steam or Luminar - that contained a URL disguised as a software download. These were sent via email or PDF on Google Drive or Google documents. When the target ran the fake software, cookie-stealing malware was executed. This malware stole browser cookies from victims’ machines and uploaded them to the attackers’ command-and-control (C2) servers.
“Although this type of malware can be configured to be persistent on the victim's machine, these actors are running all malware in non-persistent mode as a smash-and-grab technique,” said Shen. “This is because if the malicious file is not detected when executed, there are less artifacts on an infected host and therefore security products fail to notify the user of a past compromise.”
"While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics."
Attackers used a variety of different commodity malware families, all of which were capable of stealing both user passwords and cookies. These malware families included Vidar, Raccoon, Predator the Thief, Mossad and open-source malware like Sorano.
“Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking,” said Shen. “A few were observed displaying a fake error message requiring user click-through to continue execution.”
After hijacking victims’ YouTube channels, cybercriminals would sell the accounts to the highest bidder, with prices ranging between $3 to $4,000 depending on the number of subscribers. Attackers would sometimes instead rebrand the hijacked accounts to impersonate large cryptocurrency exchange firms, and livestream videos that promised cryptocurrency giveaways in exchange for initial contributions.
Google said the cybercriminals were a “group of hackers recruited in a Russian-speaking forum.” Researchers identified 15,000 actor accounts and 1,011 domains as part of the campaign. Google also blocked 1.6 million messages to targets and 2,400 files, and successfully restored 4,000 accounts.
With cookie theft malware on the rise, researchers emphasize that anyone - whether they’re a YouTuber or an enterprise company - should implement additional heuristic rules to detect and block cookie theft hijacking, as well as phishing emails.