How hackers hijacked thousands of high-profile YouTube accounts

Read Time:4 Minute, 39 Second


How hackers hijacked thousands of high-profile YouTube accounts

Future Publishing | Getty Images

Hackers have been hijacking well-known YouTube channels since at least 2019. Sometimes they broadcast cryptocurrency scams, sometimes they just auction access to accounts. Now, Google details the techniques employed by hackers to compromise thousands of YouTube creators in the past few years.

Cryptocurrency scams and account takeovers are not uncommon in themselves; the Twitter hack last fall is an example of this massive chaos. However, ongoing attacks on YouTube accounts are notable due to their breadth and methods used by hackers, and are an ancient strategy, and despite this, defenses are very tricky.

It all started with phishing. The attacker sends an email to the YouTube creator that appears to be from a real service (such as a VPN, photo editing application, or antivirus product) and provides collaboration. They put forward a standard promotional arrangement: show our products to your audience, and we will pay you. For YouTube celebrities, this is a transaction that happens every day, and this is a bustling influencer spending industry.

However, clicking on the link to download the product will bring the creator to the malware landing site instead of the actual trading site. In some cases, hackers impersonate known numbers such as Cisco VPN and Steam games, or impersonate media focused on COVID-19. Google said that so far, it has discovered more than 1,000 domains built specifically to infect unsuspecting YouTube users. This just implies scale. The company also discovered 15,000 email accounts related to the attackers behind the program. These attacks do not appear to be the work of a single entity; instead, Google stated that various hackers promoted account takeover services on Russian-language forums.

Once a YouTuber unintentionally downloads malware, it will obtain a specific cookie from their browser. These “session cookies” confirm that the user has successfully logged in to their account. Hackers can upload these stolen cookies to a malicious server, allowing them to impersonate an authenticated victim. Session cookies are particularly valuable to attackers because they do not need to go through any part of the login process. When you can borrow the armor of the stormtroopers, who needs credentials to sneak into the Death Star Detention Center?

“Additional security mechanisms like two-factor authentication can present a considerable obstacle to attackers,” said Jason Polakis, a computer scientist who studies cookie theft at the University of Illinois in Chicago. “This makes browser cookies an extremely valuable resource for them because they can avoid additional security checks and defenses triggered during the login process.”

This “pass cookie” technology has existed for more than a decade, but they are still effective. In these activities, Google stated that it has observed hackers using a dozen different off-the-shelf and open-source malware tools to steal browser cookies from victims’ devices. Many of these hacking tools can also steal passwords.

“Account hijacking attacks are still a rampant threat because attackers can use stolen accounts in many ways,” Polakis said. “Attackers can use compromised email accounts to spread scams and phishing activities, and can even use stolen session cookies to withdraw funds from victims’ financial accounts.”

Google will not confirm which specific incidents are related to the cookie theft frenzy. However, there was a significant surge in acquisitions in August 2020, when hackers hijacked multiple accounts with hundreds of thousands of fans, changed the channel name to “Elon Musk” or a variant of “Space X”, and then broadcasted Bitcoin Giveaway scam. It is not clear how much revenue any of them have generated, but given that they have become so common, it is speculated that these attacks have achieved at least some degree of success.

This type of YouTube account takeover has increased in 2019 and 2020, and Google said it has convened a number of security teams to solve this problem. The company stated that since May 2021, it has captured 99.6% of such phishing emails on Gmail, blocked 1.6 million messages and 2,400 malicious files, displayed 62,000 phishing page warnings, and 4,000 accounts were successfully restored. Now, Google researchers have observed that attackers are turning to creators of email providers other than Gmail (such as aol.com, email.cz, seznam.cz, and post.cz) as a way to avoid Google phishing detection a method. Attackers also began to try to redirect their targets to WhatsApp, Telegram, Discord or other messaging applications to avoid sight.

“A large number of hijacked channels have been renamed to live cryptocurrency scams,” Google TAG explained in a blog post. “The channel name, profile picture, and content are all replaced by cryptocurrency brands to impersonate a large technology or cryptocurrency trading company. The attackers live the video, promising to provide cryptocurrency in exchange for the initial contribution.”

Although two-factor authentication cannot prevent these malware-based cookie thefts, it is an important protection measure for other types of scams and phishing. Starting on November 1, Google will require YouTube creators who monetize their channel to enable two factors for the Google account associated with their YouTube studio or YouTube studio content manager. It is also important to heed Google’s “safe browsing” warnings about potentially malicious pages. As always, pay attention to what you click and attachments downloaded from the email.

The advice for YouTube viewers is even simpler: if your favorite channel is promoting a cryptocurrency transaction that looks too good to be true, give it some dramatic chipmunks sideways and move on.

This story originally appeared on wired.com.


go to see more here in tech news

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Accept
Decline
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active

Who we are

Suggested text: Our website address is: https://updatednews24.com.

Comments

Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

Suggested text: If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

Suggested text: If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue. For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Suggested text: Visitor comments may be checked through an automated spam detection service.
Save settings
Cookies settings