[The security box] How hackers hijacked thousands of high-profile YouTube accounts

Thu Oct 21 16:44:12 EDT 2021

Every time I look at the news, I always wonder if I'm done seeing 
everything.  But this, probably doesn't surprise me.

Jared Rimer
Check out my shows on 986 the mix. www.986themix.com/schedule for more 
info. Shows are on Wednesdays, Saturdays and Sundays
Wednesday's show is on the independent channel. Check schedule for time
www.jaredrimer.net for my other site.

On 10/21/2021 1:12 PM, Michael Brock via Thesecuritybox wrote:
> 
> How hackers hijacked thousands of high-profile YouTube accounts
> Ars Technica  /  WIRED
> 
> Spate of attacks turned creator channels into cryptocurrency scam 
> livestreams.
> 
> How hackers hijacked thousands of high-profile YouTube accounts
> Enlarge 
> <https://cdn.arstechnica.net/wp-content/uploads/2021/10/youtube-logo.jpg>
> 
> Since at least 2019, hackers have been hijacking high-profile YouTube 
> <https://www.wired.com/tag/youtube> channels. Sometimes they broadcast 
> cryptocurrency scams 
> <https://www.wired.com/story/cryptocurrency-scams-ico-trolling/>, 
> sometimes they simply auction off access to the account. Now, Google has 
> detailed 
> <https://blog.google/threat-analysis-group/phishing-campaign-targets-youtubers-cookie-theft-malware/> 
> the technique that hackers-for-hire used to compromise thousands of 
> YouTube creators 
> <https://www.wired.com/story/our-favorite-youtube-channels/> in just the 
> past couple of years.
> 
> Cryptocurrency scams and account takeovers themselves aren’t a rarity; 
> look no further than last fall’s Twitter hack for an example of that 
> chaos at scale. But the sustained assault against YouTube accounts 
> stands out both for its breadth and for the methods the hackers used, 
> and an old maneuver that’s nonetheless incredibly tricky to defend against.
> 
> It all starts with a phish 
> <https://www.wired.com/2017/03/phishing-scams-fool-even-tech-nerds-heres-avoid/>. 
> Attackers send YouTube creators an email that appears to be from a real 
> service—like a VPN, photo editing app, or antivirus offering—and offer 
> to collaborate. They propose a standard promotional arrangement: Show 
> our product to your viewers and we’ll pay you a fee. It’s the kind of 
> transaction that happens every day for YouTube’s luminaries, a bustling 
> industry of influencer payouts.
> 
> Clicking the link to download the product, though, takes the creator to 
> a malware landing site instead of the real deal. In some cases the 
> hackers impersonated known quantities like Cisco VPN and Steam games, or 
> pretended to be media outlets focused on COVID-19. Google says it has 
> found over 1,000 domains to date that were purpose-built for infecting 
> unwitting YouTubers. And that only hints at the scale. The company also 
> found 15,000 email accounts associated with the attackers behind the 
> scheme. The attacks don’t appear to have been the work of a single 
> entity; rather, Google says, various hackers advertised account takeover 
> services on Russian-language forums.
> 
> Once a YouTuber inadvertently downloads the malicious software, it grabs 
> specific cookies from their browser. These “session cookies” confirm 
> that the user has successfully logged in to their account. A hacker can 
> upload those stolen cookies to a malicious server, letting them pose as 
> the already authenticated victim. Session cookies are especially 
> valuable to attackers because they eliminate the need to go through any 
> part of the login process. Who needs credentials to sneak into the Death 
> Star detention center when you can just borrow a stormtrooper’s armor?
> 
> “Additional security mechanisms like two-factor authentication can 
> present considerable obstacles to attackers,” says Jason Polakis, a 
> computer scientist at the University of Illinois, Chicago, who studies 
> cookie theft techniques. “That renders browser cookies an extremely 
> valuable resource for them, as they can avoid the additional security 
> checks and defenses that are triggered during the login process.”
> 
> Such “pass-the-cookie” techniques have been around for more than a 
> decade, but they’re still effective. In these campaigns, Google says it 
> observed hackers using about a dozen different off-the-shelf and open 
> source malware tools to steal browser cookies from victims' devices. 
> Many of these hacking tools could also steal passwords.
> 
> “Account hijacking attacks remain a rampant threat, because attackers 
> can leverage compromised accounts in a plethora of ways,” Polakis says. 
> “Attackers can use compromised email accounts to propagate scams and 
> phishing campaigns or can even use stolen session cookies to drain the 
> funds from a victim’s financial accounts.”
> 
> Google wouldn’t confirm which specific incidents were tied to the 
> cookie-theft spree. But a notable surge in takeovers occurred in August 
> 2020 
> <https://www.businessinsider.com/youtube-channels-bitcoin-scammers-twitter-hack-2020-8>, 
> when hackers hijacked multiple accounts with hundreds of thousands of 
> followers and changed the channel names to variations on “Elon Musk” or 
> “Space X,” then livestreamed bitcoin giveaway 
> <https://www.wired.com/story/classic-scam-steals-bitcoin-on-twitter/> 
> scams. It’s unclear how much revenue any of them generated, but 
> presumably these attacks have been at least moderately successful given 
> how pervasive they became.
> 
> This type of YouTube account takeover ramped up in 2019 and 2020, and 
> Google says it convened a number of its security teams to address the 
> issue. Since May 2021 the company says it has caught 99.6 percent of 
> these phishing emails on Gmail, with 1.6 million messages and 2,400 
> malicious files blocked, 62,000 phishing page warnings displayed, and 
> 4,000 successful account restorations. Now Google researchers have 
> observed attackers transitioning to targeting creators who use email 
> providers other than Gmail—like aol.com, email.cz, seznam.cz, and 
> post.cz—as a way of avoiding Google’s phishing detection. Attackers have 
> also started trying to redirect their targets over to WhatsApp, 
> Telegram, Discord, or other messaging apps to keep out of sight.
> 
> “A large number of hijacked channels were rebranded for cryptocurrency 
> scam live-streaming,” Google TAG explains in a blog post 
> <https://blog.google/threat-analysis-group/phishing-campaign-targets-youtube-creators-cookie-theft-malware/>. 
> “The channel name, profile picture and content were all replaced with 
> cryptocurrency branding to impersonate large tech or cryptocurrency 
> exchange firms. The attacker live-streamed videos promising 
> cryptocurrency giveaways in exchange for an initial contribution.”
> 
> Though two-factor authentication can’t stop these malware-based cookie 
> thefts, it’s an important protection for other types of scams and 
> phishing. Beginning on November 1, Google will require YouTube creators 
> who monetize their channels to turn on two-factor for the Google account 
> associated with their YouTube Studio or YouTube Studio Content Manager. 
> It’s also important to heed Google’s “Safe Browsing” warnings about 
> potentially malicious pages. And as always, be careful what you click 
> and which attachments you download from your email.
> 
> The advice for YouTube viewers is even simpler: If your favorite channel 
> is pushing a cryptocurrency deal that seems too good to be true, give it 
> some Dramatic Chipmunk side eye and move on.
> 
> /This story originally appeared on wired.com 
> <https://www.wired.com/story/youtube-bitcoin-scam-account-hijacking-google-phishing/>./
> 
> 
> 
> Original Article: https://arstechnica.com/?p=1806361 
> <https://arstechnica.com/?p=1806361>
> 
> 
> Michael Brock
> 
> Thank you for subscribing to the Security Box email list.  If you need list management options, please see the link for a section to log in, manage your subscription, and possibly other options that may be of interest.
> 
> Need help?  write the owner, and the owner will get back to you as quickly as possible.  Be clear on what you need.
> 
> Thanks for subscribing!
> 