Leaked YouTube Credentials Growing in Popularity on Dark Web Forums

The current cyber threat landscape is dominated by coronavirus-related attacks, exploits, and scams. In recent blogs, we have explored how cybercriminals have been exploiting the COVID-19 pandemic to distribute spread phishing and malware attacks, how they then moved to targeting collaboration tools and how they recycle old usernames and passwords for credential dumping attacks.

But over the past few weeks, IntSights researchers have observed yet another new trend in black markets and cybercrime forums that has rapidly growing demand: stolen credentials for prominent YouTube accounts.

It should come as no surprise that global reliance on the internet has skyrocketed during quarantine, with surges in internet usage and streaming services in particular. While YouTubers have always “worked” from home, the recent uptick in the number and sophistication of attacks against home users has resulted in more bots (malware infected computers) in which the attackers can search for access to specific services. In fact, this is also offered as a service by cybercrime underground members.

YouTube accounts from compromised computers or from logs of credentials can be of high value. While smaller channels may not be as lucrative as larger ones, YouTubers rely on them as revenue streams and might be willing to pay money to attackers to get their content and access to their channels back. Below is an example of such a case from a Google support thread.

With an increasing number of underground offerings for stolen YouTube accounts, one forum decided to run a quick poll last week to see if this is of interest to forum members. So far, the results are vastly in favor.

As always with underground offerings, when there is demand the supply is soon to follow. In recent weeks, IntSights researchers have noticed an increasing number of stolen YouTube channel credentials, of varying subscriber counts, up for sale.

As seen in the last screenshot as well as the Google support thread, attackers will need to sell these accounts rather quickly before the owner has a chance to contact support and explain the situation. Many of these auctions set a time limit to speed up the process before their goods become worthless.

While there are many ways for the attackers to target YouTube channel owners, it seems the recent accounts were cropped from databases containing Google credentials as well as from malware-infected computers. In the past, attackers used sophisticated phishing campaigns in combination with reverse proxy toolkits like Modlishka to defeat Google’s two-step verification (one-time password). However, none of the current sellers mention 2FA, which may mean these accounts did not opt in for this additional security step. While 2FA is not a silver bullet against cybercriminals, it is highly recommended to opt in to this additional security step, have a properly patched computer, understand the risks and types of phishing attacks and use a recovery phone number or email.

Learn more about cyberattacks related to COVID-19 by reading our report, The Cyber Threat Impact of COVID-19 to Global Business.


Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.