An increasing number of offers for stolen YouTube credentials has been noted recently on hacker and cybercrime forums, where access to accounts is sold in bulk.
Sellers advertise large lists of credentials that are verified for the availability of a YouTube channel and subscriber count.
Subscriber count makes the price
Cybercriminals have found value in YouTube channels a long time ago, providing them a new audience to expose to fraudulent activities ranging from scams to advertising.
Others simply hijack the channels and ask the legitimate owner to pay a ransom to get it back. YouTube community support is filled with complaints from users that lost access to their channel and were demanded a ransom.
The data comes mostly from infected computers, phishing campaigns, or logs of credentials. It is combed for logins to specific services and then auctioned on forums.
Researchers at IntSights external threat intelligence company found that there’s an increased demand in YouTube credentials on underground markets, which also fuels data verification side businesses.
The value of the lists offered is proportional to the subscriber count. For instance, the bidding for a channel with 200,000 subscribers starts at $1,000 with a step of $200.
One post advertised an auction a log for 990,000 YouTube active channels that started at $1,500; anyone paying $2,500 got it without contest. The seller was looking to cash in fast, like other actors, for fear of victims reporting the mischief and reclaiming access to their accounts.
A set of 687 YouTube accounts, broken down by subscriber count, was available for a starting price of $400 and a $100 step. Anyone willing to pay $5,000 would get it on the spot.
Another actor was looking to sell credentials for more than 25 YouTube channels, some with over 100,000 subscribers for a starting price of $600 and a step of $100. They also offered to sell it immediately to whoever paid $2,000.
Etay Maor, IntSights’ Chief Security Officer, says that the surge of YouTube logs likely originates from databases with Google credentials and infected computers.
Users reporting account hijacking to YouTube often complain that they were tricked into downloading malicious software on their computers.
Another victim reported a similar story, with fraudsters pretending to look for collaborators.
Maor says that attackers in the past relied on sophisticated phishing campaigns and reverse-proxy toolkits that defeated Google’s two-factor authentication (2FA).
No mention of 2FA from the sellers could mean that the stolen credentials are for accounts where this security option was inactive.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.