Hey YouTube users, is your account secure from the recent hack attacks? High-profile YouTubers have been targeted by cybercriminals in a coordinated massive. Here’s what to do to protect your own account.
The security warning was made by Catalin Cimpanu, a ZDNet reporter, who spoke to a member of an internet forum with a history of trading access to hacked accounts, as reported by Forbes.
Which YouTube accounts have been hacked?
According to the ZDNet investigation, many accounts belonging to well-known YouTubers within the car community appear to have been hijacked. However, it would also appear the attack itself has been directed mostly towards “influencers” across many YouTube channel genres. Amongst those taking to Twitter to complain about their YouTube accounts being hacked and access to their channels lost, were YouTubers covering technology, music, gaming, and Disney. With more than 23 million YouTube channels, anyone who creates content should be heeding this warning though.
How were the YouTube accounts hacked?
The investigation by Cimpanu points clearly towards a coordinated phishing campaign. Having spoken to a member of an internet forum where online account hijackers are known to chat, Cimpanu was able to determine that this was likely a highly targeted, or “spear phishing,” campaign rather than a spray and pray operation. The forum member told ZDNet that someone had got hold of a “real nice database,” and were “getting a bang for their buck,” as a result.
The attack methodology would appear to be nothing out of the ordinary, truth be told.
Emails are sent to people to be targeted from the list of YouTuber influencers, luring them to a fake Google login page. This is used to harvest their Google account credentials which then give the attacker access to YouTube accounts. These are then transferred to a new owner and the vanity URL changed. The actual owner of that channel and those who subscribe to it are left thinking the account has been deleted.
At least some of the accounts that were successfully hacked had been employing two-factor authentication (2FA) for additional protection according to the ZDNet report. This suggests that the attackers were using a reverse proxy toolkit, such as the popular Modlishka phishing package, to intercept 2FA codes sent using SMS.
How can you best protect your YouTube account?
I contacted James Houghton, who says that this is an “extremely impressive and coordinated attack, potentially using man-in-the-middle or reverse-proxy based interception,” for the real-time capture of two-factor authentication codes. This all sounds very high-tech and sophisticated, but “the vulnerability here is still the human,” Houghton says, “this attack relies on an individual clicking and following a click before checking the basics.” Houghton says that the problem primarily comes down to a “lack of knowledge surrounding what to look out for in a phishing email and conversely what to look for in a legitimate email.”
These phishing emails are usually constructed well and “can look genuine at first glance, even to the trained eye,” says Jake Moore, cybersecurity specialist at ESET. “Telltale signs such as the link shown in the body of the email or even questioning why you have been sent it in the first place should be enough to pause your actions,” Moore says.
Then there’s the cloned Google login page that the link would have landed at. The URL for this mirrored page wasn’t “looked at with enough vigilance,” says Houghton, as this would likely be obfuscated in some way and not the same as the original Google account page. It used to be the case that the lack of an HTTPS certificate for a site, signified by the green padlock or similar in the browser address bar, would be enough to set alarm bells ringing, generally speaking. That’s not the case now, and “the removal of Extended Validation (EV) information in the address bar,” Houghton says, makes it much harder to spot. Not, of course, that a site with an SSL certificate is any guarantee of validity; it just means that the site owner has protected the communications channel between browser and website, nothing more.
Despite 2FA apparently having been circumvented for at least some of these YouTube account attacks; Jake Moore says that it’s still essential that “every account you own should utilize 2FA.” However, this should “ideally be an authenticator app rather than a code sent over SMS,” Moore says
Security researcher Sean Wright says that people should also look at the use of “Universal 2nd Factor (U2F) tokens for 2FA,” like these, “to date have stood up to phishing attempts.” U2F is an open authentication standard as supported by Yubico and Google Titan hardware security keys. Influencers and other creators with large followings should also consider “looking at Google’s Advanced Protection Program,” Wright says. This adds another layer of protection into the mix, requiring two security keys. It does also mean that some third-party apps won’t be allowed anymore, but that’s a small price to pay for hardened Google account security.
What does YouTube say?
A YouTube spokesperson sent me the following statement after this article originally published:
“We have not seen evidence of an increase in hacking attempts over the weekend. We take account security very seriously and regularly notify users when we detect suspicious activity. We encourage users to enable two-factor authentication as part of Google’s account Security Checkup, which decreases the risk of hacking. If a user has reason to believe their account was compromised, they can notify our team to secure the account and regain control. “
That YouTube has not seen evidence of an increase in hacking attempts is at odds with the swathe of account takeover reports that the ZDNet investigation confirmed across the last week, peaking at the weekend. However, the fact remains that this is a good time to take heed of the warnings concerning account hijacking and the coordinated hacking campaign that has been reported.
Winder, Davey. (2019, September 23). Security Warning For 23 Million YouTube Creators Following ‘Massive’ Hack Attack. Forbes.