Users of Google products such as Gmail and YouTube have been facing a surge in hackers targeting their accounts, even when two-factor authentication (2FA) is activated. These victims have turned to official and unofficial Google support forums for assistance in recovering their compromised accounts. Many have reported that despite having 2FA activated, hackers were able to change passwords, phone numbers, and 2FA settings, leaving them locked out of their accounts.
One common thread among these attacks is the involvement of cryptocurrency scams, specifically those related to Ripple’s XRP. Hackers are utilizing these scams to entrap users by promising to double the amount of XRP they send to fake Ripple accounts. Ripple has issued a warning to users about these scams and advised them on how to avoid falling victim to such schemes. Some compromised YouTube accounts have even used deepfake technology to create videos appearing to be from Ripple Labs CEO Brad Garlinghouse for added authenticity.
The method by which hackers are bypassing 2FA security is through session cookie hijacking attacks. This involves capturing session cookies after a successful login, allowing attackers to replay them and bypass the need for a 2FA code. Google has acknowledged the existence of this long-standing issue and stated that they continuously update techniques to detect and block suspicious access. The company also offers an automated account recovery process that allows users to regain access to their accounts within seven days of a security incident.
In addition to cryptocurrency scams, YouTube users, particularly those interested in pirated video games, are being targeted by attackers distributing information-stealing malware. Malicious links disguised as tips on downloading free video games in video descriptions lead users to websites delivering malware payloads instead. The compromised YouTube accounts hosting these malicious videos also appear to be targeting a young demographic, further emphasizing the dangers associated with this distribution methodology.
Proofpoint researchers have analyzed several accounts on YouTube distributing malware and targeting the gamer community, particularly with a focus on pirated video games. These accounts use various information-stealing malware such as Lumma Stealer, StealC, and Vidar. They employ similar technical methods, including disabling antivirus instructions and bloating file sizes to evade security protections. The attackers persistently target YouTube consumers rather than enterprise users, with one compromised account having over 113,000 users and a grey verification checkmark.
Recommendations from the researchers include looking for significant gaps in time between posted videos, differing content from previously published videos, language differences, and malicious links in descriptions. They reported more than two dozen accounts distributing malware to YouTube users, all of which have had their content removed by YouTube. This highlights the ongoing threat to users of Google products, especially when it comes to protecting their accounts from various forms of cyberattacks.
