In a coordinated attack, malicious actors have hijacked thousands of YouTube creator accounts. Many of the YouTubers targeted in this attack include those who run auto-tuning and car review channels. Content creators are now unable to access their channels and many channels have been deleted. Security researchers are now blaming YouTube’s multifactor authentication policies for these attacks.
Some big-name YouTubers part of the car community who were hit include Built, Troy Sowers, PURE Function, Musafir. Creators from other communities were hit in these attacks as well. Many YouTubers and their subscribers headed to Twitter and Instagram to complain about the recent attacks and YouTube’s lack of help in getting their channels back.
View this post on Instagram
I just wanted to thank you all for the outpouring of comments, DM’s, emails and all around support with this @youtube issue of my channel being hacked and deleted. YouTube says “they’re working on it” but I have not been able to get any additional information out of them. I don’t know if it’s recoverable or if we have to start over. If we have to start over, you guys better be ready for some amazing content because I’ll be coming back better than ever! ________ #raptor #youtube #vlog #ford #trucks
A channel named #musafirakajoshi on #YouTube having more then 1.3million subscriber on this channel has suddenly vanished from youtube.This channel has got hacked. If somebody from YouTube is viewing this please do the needful.
— vishal malani (@vishalmalani2) September 22, 2019
Malicious actors used phishing campaign to begin their attacks. Cimpanu determined that attacks spear phished creators, rather than selecting a random few. This means that the phishing emails were targeted toward specific creators.
Once the emails were sent and the links were clicked the victim is to a fake Google login page. This is when the victim logs in with his credentials, which are captured by the attacker. The attacker then takes control of the account and changes the URL, making the creator belief his account has been deleted.
Further, attackers were able to bypass accounts with two-factor authentication (2FA) enabled. It is believed that attackers used a reverse proxy based phishing toolkit to intercept the 2FA code sent via SMS.
Rather than using 2FA, Google should encourage their creators to use more secure methods of authentication. This includes using apps like Google Authenticator or Duo, which change codes every 30-90 seconds, for authentication rather than using SMS. It is important to note, that although 2FA was intercepted for some of the account, enabling it is highly encouraged and more secure than just having a password for your account.
What Happens with The Stolen Accounts?
Askamani, a hacker, told ZDNet that it is likely the hacked accounts will be sold in online forums like OGUsers and Russian forums. Further saying,
“You can spam random people all you like, but you won’t get access to accounts with good subs [subscribers],” the hacker said. “If there’s a spike in complaints, as you said, then someone got their hands on a real nice database and they’re now getting a bang for their buck.”
How to Protect Yourself?
When you trace back most attacks, in many cases you find the attack played out because the user clicked on a link. Without the user, clicking on a link, the attack pretty much ends at that point. It is important that users are well informed and educated on how to stay safe online. If a email speaks of urgency or if you do not recognize the email account, never click on the link. To learn more, about phishing links and how to stay safe, contact LIFARS today.