Hackers have been taking over YouTube channels with high profile content since at least 2019. They broadcast scams and sometimes simply sell access to accounts. Google now reveals the method hackers-for-hire used in compromising thousands of YouTube creators over the last few years.
Account takeovers and cryptocurrency scams are not uncommon. Take a look at the last fall Twitter hack to see an example of this chaos at scale. The sustained attack on YouTube accounts is notable for its breadth as well as the hacker's methods. This old tactic, however, can be difficult to defend against.
All it takes is a phish. YouTube creators are sent an email by attackers that looks like it is from a legitimate service, such as a VPN or photo editing app. They also offer to work together. They offer a standard promotion arrangement: Show your product to your viewers, and we'll pay you a fee. This is the type of transaction that YouTube's stars make every day. It is a bustling industry of influencer payments.
However, clicking the link to download the product takes the creator to malware landing sites instead of the real thing. Some hackers used known numbers like Steam games and Cisco VPN to impersonate the hackers, while others pretended they were media outlets that focus on COVID-19. Google claims it has discovered over 1000 domains that were purposely built to infect YouTubers. This is just a small sample of the magnitude. It also discovered 15,000 email addresses associated with the hackers behind the scheme. Google claims that the attacks were not carried out by a single entity. Instead, several hackers posted account takeover services on Russian forums.
Advertisement
When a YouTuber accidentally downloads malicious software, it automatically grabs certain cookies from their browser. These session cookies verify that the user has successfully signed in to their account. Hackers can upload these stolen cookies to malicious servers, allowing them to pose as an authenticated victim. Session cookies are particularly valuable for attackers as they do not require them to complete any part of the login process. You don't need credentials to get into the Death Star detention centre. Instead, you can borrow stormtroopers armor.
Jason Polakis, a University of Illinois computer scientist who studies cookie theft, said that additional security mechanisms such as two-factor authentication could present significant obstacles for attackers. Browser cookies are an invaluable resource to attackers, since they can bypass the security checks and defenses that may be triggered during login.
These pass-the-cookie methods have been around more than a decade. However, they are still very effective. Google claims that hackers used a variety of malware tools, both open-source and off-the-shelf, to steal browser cookies from the victims' computers in these campaigns. These hacking tools can also be used to steal passwords.
Attackers can use compromised accounts in a variety of ways to steal funds. Account hijacking is still a serious threat, Polakis states. Hackers can use compromised email addresses to spread scams and phishing campaigns, or even steal session cookies to drain funds from victims' financial accounts.
Google would not confirm which incidents were connected to the cookie-theft spree. A notable increase in takeovers was observed in August 2020 when hackers took over multiple accounts with hundreds and thousands of followers. They changed channel names to Elon Musk or Space X variations, then livestreamed the bitcoin giveaway scams. Although it is not clear how much revenue they generated, it seems likely that these attacks were at least moderately successful considering how widespread they have become.
Advertisement
In 2019, and 2020, this type of YouTube account takeovers increased. Google claims that it convened several of its security teams in order to address the problem. The company claims that it has seized 99.6% of these phishing emails via Gmail since May 2021, with 1.6million messages, 2,400 malicious files blocked and 62,000 warnings about phishing pages displayed. It also reported 4,000 successful account restores. Google researchers now see attackers targeting people who use other email providers than Gmail to avoid Google's phishing detection. To keep their targets out of sight, attackers have begun to redirect them to WhatsApp, Telegram and Discord.
Google TAG explained in a blog that a large number of hijacked channels had been rebranded to enable live streaming of cryptocurrency scams. To impersonate large cryptocurrency or tech exchange companies, the channel name, profile picture, and content were all changed with cryptocurrency branding. In exchange for an initial contribution, the attacker streamed live videos promising cryptocurrency giveaways.
Although two-factor authentication cannot stop malware-based cookie thefts it is an important protection against other types of frauds and phishing. YouTube creators that monetize their channels will be required to enable two-factor authentication starting November 1. This will be done for their YouTube Studio account or YouTube Studio Content manager. Google's Safe Browsing Warnings regarding potentially dangerous pages are also important. As always, be cautious about what you click on and which attachments are downloaded from your email.
YouTube viewers have a simpler recommendation: If your favorite channel promotes a cryptocurrency deal that seems too good for be true, then give it some Dramatic Chipmunk eye and move on.
This story first appeared on wired.com
