High-profile YouTubers have been targeted by cybercriminals over the weekend in what appears to have been a highly coordinated and “massive” attack.
The security warning was made by Catalin Cimpanu, a ZDNet reporter, who spoke to a member of an internet forum with a history of trading access to hacked accounts. Here’s what we know so far and what you need to do to protect your own YouTube account.
Which YouTube accounts have been hacked?
According to the ZDNet investigation, many accounts belonging to well-known YouTubers within the car community have been hijacked. However, it would appear the attack itself has been directed mostly towards “influencers” across many YouTube channel genres. Amongst those taking to Twitter to complain about their YouTube accounts being hacked and access to their channels lost, were YouTubers covering technology, music, gaming and Disney. With more than 23 million YouTube channels, anyone who creates content should be heeding this warning though.
How were the YouTube accounts hacked?
The investigation by Cimpanu points clearly towards a coordinated phishing campaign. Having spoken to a member of an internet forum where online account hijackers are known to chat, Cimpanu was able to determine that this was likely a highly targeted, or “spear phishing,” campaign rather than a spray and pray operation. The forum member told ZDNet that someone had got hold of a “real nice database,” and were “getting a bang for their buck,” as a result.
The attack methodology would appear to be nothing out of the ordinary, truth be told.
Emails are sent to people to be targeted from the list of YouTuber influencers, luring them to a fake Google login page. This is used to harvest their Google account credentials which then give the attacker access to YouTube accounts. These are then transferred to a new owner and the vanity URL changed. The actual owner of that channel and those who subscribe to it are left thinking the account has been deleted.
At least some of the accounts that were successfully hacked had been employing two-factor authentication (2FA) for additional protection according to the ZDNet report. This suggests that the attackers were using a reverse proxy toolkit, such as the popular Modlishka phishing package, to intercept 2FA codes sent using SMS.
How can you best protect your YouTube account?
I contacted James Houghton, CEO at security awareness training platform Phishing Tackle, who says that this is an “extremely impressive and coordinated attack, potentially using man-in-the-middle or reverse-proxy based interception,” for the real-time capture of two-factor authentication codes. This all sounds very high-tech and sophisticated, but “the vulnerability here is still the human,” Houghton says, “this attack relies on an individual clicking and following a click before checking the basics.” Houghton says that the problem primarily comes down to a “lack of knowledge surrounding what to look out for in a phishing email and conversely what to look for in a legitimate email.”
These phishing emails are usually constructed well and “can look genuine at first glance, even to the trained eye,” says Jake Moore, cybersecurity specialist at ESET. “Telltale signs such as the link shown in the body of the email or even questioning why you have been sent it in the first place should be enough to pause your actions,” Moore says.
Then there’s the cloned Google login page that the link would have landed at. The URL for this mirrored page wasn’t “looked at with enough vigilance,” says Houghton, as this would likely be obfuscated in some way and not the same as the original Google account page. It used to be the case that the lack of an HTTPS certificate for a site, signified by the green padlock or similar in the browser address bar, would be enough to set alarm bells ringing. That’s not the case now, and “the removal of Extended Validation (EV) information in the address bar,” Houghton says, makes it much harder to spot. Not, of course, that a site with an SSL certificate is a guarantee of validity; it just means that the site owner has protected the communications channel between browser and website, nothing more.
Despite 2FA apparently having been circumvented for at least some of these YouTube account attacks; Jake Moore says that it’s still essential that “every account you own should utilize 2FA.” However, this should “ideally be an authenticator app rather than a code sent over SMS,” Moore says.
I have approached Google for a statement regarding the spate of successful YouTube account attacks and will update this story should one be forthcoming. In the meantime, if your YouTube channel has been impacted by this attack wave, then you can start the account recovery process here.