YouTube Security Warning as “Massive” Hack Attack Confirmed

High-profile YouTubers also known as “influencers” have been targeted by cybercriminals using deceptive and targeted phishing emails over the weekend in what appears to have been a highly coordinated attack. The security warning was made by Catalin Cimpanu, a ZDNet reporter, who has access to the chatter on the hacker forums. 

Which YouTube accounts have been hacked?

It would also appear the attack itself has been directed mostly towards “influencers” across many YouTube channel genres. Despite YouTube issuing a denial, lots of high-profile YouTubers have taken to Twitter to complain about their YouTube accounts being hacked and access to their channels lost. It appears that YouTubers covering cars, technology, music, gaming and Disney were the most affected, although anyone who creates content should be heeding this warning.

How were the YouTube accounts hacked?

The investigation points towards a coordinated phishing campaign. It is highly likely that a targeted or “spear phishing” campaign was launched against the YouTube influencers, using a hacked database. 

The attack methodology would appear to be nothing out of the ordinary, following the standard pattern. Emails are sent to people to be targeted from the list of YouTuber influencers, luring them to a fake Google login page. 

The emails are well constructed and can look genuine at first glance, even to the trained eye. One suspicious sign is the link shown in the body of the email, which leads to a cloned Google login page. Again, the cloned page can look authentic, with a green padlock in the browser bar, either lawfully purchased or spoofed to trick the user. 

These login pages capture the Google account credentials which then give the attacker access to YouTube accounts. These are then transferred to a new owner and the vanity URL changed. The actual owner of that channel and those who subscribe to it are left thinking the account has been deleted when in fact it has just been re-located. 

It is reported that at least some of the accounts that were successfully hacked had been employing two-factor authentication (2FA) for additional protection.  It could be the attackers were using a reverse proxy toolkit, such as the popular Modlishka phishing package, to intercept 2FA codes sent using SMS. YouTube released a statement that “if a user has reason to believe their account was compromised, they can notify our team to secure the account and regain control.”

What can we do to stop these types of attacks?

There will be some commenters who will talk about the human being the source of the vulnerability and assume that simple checking of the “link” and the “from field” will reveal the deception. Unfortunately, people are busy and can be distracted, with additional psychological factors that mean their ability to be cyber trained is often compromised. NCSC published research which showed that those users who undergo a cyber training program, after two years are back to the same level of awareness as when they first started. 

Against a high-tech and sophisticated attack, only a few cyber experts will be constantly suspicious with the technical skills to correctly identify a spear phishing email. When you consider the name and the domain can be spoofed, maybe with a form of unicode characters in the body text to bypass traditional scans, it’s no wonder that these attacks are successful. 

For cloud-based email it is essential that a cloud email security supplement is added to an organisation’s cyber defences. The next generation of machine learning will detect a much broader range of attacks, freeing the administrators and SOC teams from lots of repetitive rules and giving users real time phishing detection and awareness capabilities.