YouTube Creators Hit by a Major Account Takeover Attack
Individual users fall victims to phishing and lose access to their online accounts on a daily basis, and this sort of thing rarely makes the news. When an attack is aimed at some of the most influential names in an entire community, however, it is bound to attract more attention. We seem to be in the middle of one such attack.
Last week, Catalin Cimpanu, a ZDNet reporter, was told that quite a few prominent YouTube channels followed by large numbers of car enthusiasts appeared to have been deleted. Cimpanu took a look, and he quickly realized that there is indeed a large-scale campaign targeting popular content creators that produce videos dedicated to all things automotive. The attack started at the beginning of last week, and it hit channels like Troy Sowers (which had 115 thousand subscribers according to Social Blade), Built (which had 130 thousand subscribers according to the owner's own calculations), and MaxtChekVids (which had about 50 thousand subscribers according to the owner's Instagram bio). At first, only creators from the automotive community were targeted, but by the end of last week, YouTubers producing other types of content also started complaining.
YouTubers fall for a phishing scam
YouTube account owners will be relieved to hear that the accounts weren't taken over due to a data breach at the world's most popular video sharing platform. The channels were hijacked because their owners got tricked into entering their login details at a phishing page. According to the owner of the Built channel, the crooks were "very convincing" and pretended to be ad salesmen.
Apparently, using some social engineering, the phishers managed to fool the content creators into clicking a link and going to what appeared to be Google's login page. Once the hackers had the victim's usernames and passwords, they would log into the targeted YouTube accounts and would first change the email address and all the other contact details saved by the owner. After that, they would change the channel's custom URL to make it look as if it'd been deleted.
The criminals knew what they were doing
Although the attack has already received a lot of media attention, none of the channels have been recovered as of the time of writing. The affected content creators are in constant contact with Google, but they all say that they haven't been given an ETA on when (and if) the channels will be put back under their control. We are talking about popular, monetized channels which means that their owners are losing money because of the attack. This is where we need to ask if they had done everything they can to protect them.
Well, at least some of them claim that they had two-factor authentication enabled at the time of the attack, which means that the crooks somehow managed to get past it. There's plenty of speculation around how they managed to do it, with some people claiming that a sophisticated phishing tool named Modlishka was involved. This information can be neither confirmed nor disproved, though. Not least because surprisingly or not, YouTube doesn't seem too concerned about what is undoubtedly a rather serious attack.
Forbes' Davey Winder requested a comment from YouTube representatives who told him that they have seen no spikes in hacking attempts. This, you have to agree, is odd considering all the evidence which suggests that YouTubers are targeted by a well-coordinated phishing attack.
Catalin Cimpanu wanted to learn more about it which is why he got in touch with one of the people who frequent internet forums that facilitate the trade of phished login credentials. Cimpanu's source (who goes by the nickname Askamani) said that whoever launched the campaign probably had access to a large database of influencers' contact details. This is something content creators should definitely bear in mind.
The hacker also said that the attackers will probably be in a hurry to sell the channels before their owners are let back in. YouTube could really do worse than be even quicker with helping victims get their accounts back.