Google has identified and blocked 1.6 million phishing emails between May 2021 and now. The scams were all part of a big malware campaign with a goal of stealing YouTube accounts and using them to promote cryptocurrency schemes.
The news comes from Google's Threat Analysis Group (TAG), and they seem to have the issue in hand: That 1.6 million emails represents a 99.6% decrease in the volume of related phishing emails in Gmail.
It's another peek into the security threats we all face over the internet. The scams aren't always trying to sell you bad cryptocurrencies, but they're always trying to steal your personal data.
How the Scam Works
The short story here is that you're likely safe: Its phishing emails are customized and aimed at YouTubers. As long as you don't have an urge to collaborate on a project, you won't be tempted to download the malware, which is often made to look like a VPN or Steam game.
Here's how Google explains it in their blog post on the topic.
“The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams.”
TAG has kept an eye on this type of phishing campaign since late 2019. In addition to blocking the 1.6 million messages to targets, TAG also says it “displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts.”
Like a horror movie villain, though, the scammers are living to attack another day: TAG notes that it has detected attackers are shifting to more profitable email providers — email.cz, seznam.cz, post.cz and aol.com are all mentioned.
Avoid Those Downloads
The specific malware involved is called “Cookie Theft,” or a “pass-the-cookie attack.” It's a session hijacking attack that gives the bad actor access to the user's accounts through the session cookies stored in the victim's website browser.
The trick is decades old, but TAG speculates scammers are being forced into trying more social engineering due to the effective rise of multi-factor authentication. Sometimes that means getting really creative, TAG notes, like when they invented an entire fake Instagram account:
“In one case, we observed a fake social media page copying content from an existing software company.”
Google's updating its products with “additional heuristic rules” to better detect these emails, and YouTube has “hardened channel transfer workflows.” Regular users, though, will just have to stay on guard whenever anyone emails and wants them to download anything.
You can do a few things to put yourself in the best position to avoid getting scammed and downloading a malware service that spies on your account logins. Try considering these tips:
- Enable multi-factor authentication
- Pay attention to Chrome's “Safe Browsing” warnings
- Try an online virus scanning tool like VirusTotal to catch malware
- Try a password manager tool — we've rounded up the best deals over here
- Enable Chrome's “Enhanced Safe Browsing Protection” mode for the most security warnings
- Keep an eye out for encrypted archives online — they can be a sneaky way to avoid antivirus detection scans
You could also try a secure VPN. It won't stop social engineering scams, but it's one more layer of protection. Google might catch a lot, but we definitely can't depend on them for everything.