Coordinated campaign hijacks YouTube creator accounts
Creators in the auto-tuning and car review community were hit the hardest
YouTube creators are having their accounts hijacked in what appears to be a coordinated campaign launched against the platform with hackers focusing on users from the auto-tuning and car review community.
A number of high-profile accounts from the YouTube creators car community have already been targeted including Built, Troy Sowers, MaxtChekVids, PURE Function and Musafir.
However, creators from other communities on the platform also reported having their accounts hijacked over the past few days.
- Hackers target Office 365 business accounts
- Malvertising campaign infects popular YouTube to MP3 conversion site
- Hackers launch phishing attack disguised as DocuSign document
The massive wave of account hijacks is the result of a coordinated campaign which used messages to lure users to phishing sites where hackers were able to obtain their credentials.
Bypassing two-factor authentication
After speaking with a YouTube channel owner that managed to recover their account, ZDNet gained a better idea of how these attacks likely occurred.
First hackers used phishing emails to lure victims to fake Google login pages where they collected their account credentials, then they broke into their Google accounts, re-assigned popular channels to new owners and finally they changed the channel's vanity URL to trick account owners into thinking their channels had been deleted.
Some of the creators targeted by the campaign received individual emails while others said they had received email chains that included the addresses of multiple YouTube creators, often from the same community or niche.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
On creator whose channel is called Life of Palos confirmed that hackers were apple to bypass the two-factor authentication protecting his account. He believes those behind the campaign could have used a reverse proxy-based phishing toolkit called Modlishka which is used to intercept 2FA SMS codes. However, there are a number of reverse proxy-based phishing toolkits available on the dark web which could have been used instead.
Those behind these account takeover attacks have not yet come forward and neither Google nor YouTube has issued a public response regarding the coordinated campaign.
- We've also highlighted the best antivirus software of 2019
Via ZDNet
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.