The campaign was led by multiple hackers
Google's Threat Analysis Team has put out a detailed report, which tracks phishing campaigns that have targeted YouTube creators since late 2019.
The team says that the actors behind the campaign were attributed to a group of individuals on a Russian forum and lured their targets with fake collaboration opportunities.
These fake opportunities ranged from demos for anti-virus software, VPN to access to Online Games. The creator channels would then be hijacked to be sold to the highest bidders or would be used to broadcast cryptocurrency scams.
Threat actors accomplished this by sending out fake emails, impersonating a business and reaching to creators with an opportunity. Once a target agreed, a link with a malware infested landing page would be sent. When clicked on, these would load malware into the creator's systems.
Google identified 15,000 fake accounts, which were created for the campaign. The threat analysis team also identified at least 1,011 domains which were created specifically for the attacks and some even impersonated legitimate sites like Cisco VPN or Luminar.
"We have observed that actors use various types of malware based on personal preference, most of which are easily available on Github," read the report.
"Some commodity malware used included RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad (Google’s naming), and Kantal (Google’s naming) which shares code similarity with Vidar. Open source malware like Sorano and AdamantiumThief were also observed."
Google says that since 2019, they have, "blocked 1.6M messages to targets, displayed 62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored 4K accounts."