A wave of hijackings over the weekend whisked accounts out from under high-profile YouTubers, many of them in the auto-tuning and car reviewing community, and some of them despite being protected by two-factor authentication (2FA), ZDNet reported on Monday.
ZDNet’s Catalin Cimpanu posted links to a few dozen posts from YouTube creators who’ve taken to Twitter, Instagram and/or YouTube support to fume or to ask for help. Here’s one such: an Instagram post from the creator of Built, a YouTube channel that as of Monday afternoon had blinked out of existence in the wake of what appears to be a coordinated campaign.
According to a YouTube video posted by Life of Palos over the weekend, 100K or so creators in the YouTube car community received a phishing email that’s believed to be the first stage of this attack.
This was no spray and pray operation
This apparently wasn’t a random attack. The crooks who took over the accounts went after those with high follower counts – in other words, high-value accounts that they can sell on forums devoted to trafficking hacked accounts.
ZDNet talked to a hacker named Askamani, active on OGUsers, an internet forum known for trafficking hacked accounts. The hacker said that it sounds like “someone got their hands on an email list with addresses from a specific sector,” and that it was stuffed with the details of such “influencers.”
My money is on someone hacking into one of those social media influencer databases.
If there’s a spike in complaints, as you said, then someone got their hands on a real nice database and [they’re] now getting a bang for their buck.
Modus operandi
The account takeovers were apparently accomplished with a phishing campaign that lured users to sites where victims were prompted to log in with their YouTube account credentials.
YouTube staff reportedly told one channel owner that this is how the attacks went down:
- Phishing emails tricked content creators into visiting fake Google login pages, where the attacker(s) snared their victims’ account credentials.
- The attackers broke into the victims’ Google accounts.
- Next, they re-assigned popular channels with large followings to new owners.
- Finally, the crooks changed vanity URLs, giving the original account owner and their followers the impression that the purloined accounts had been deleted.
At least some of the YouTubers involved said that they had 2FA enabled.
The Google account phishing scenario described by victims is reminiscent of what researcher Piotr Duszyński showed could be done with the pen testing tool Modlishka he published in January 2019, which led some, like YouTube channel Life of Palos, to suggest his creation was used to carry out this attack.
Modlishka, a reverse proxy-based phishing toolkit, is capable of automating the phishing of one-time passcodes (OTPs) commonly used for 2FA. It’s certainly not the only way to capture the SMS or app-generated codes though, and successful attacks against 2FA pre-date its release.
In December 2018, within days of each other and before Modlishka had been released, we saw two separate reports of attacks where phishing was successfully used to obtain OTPs as part of targeted campaigns.
The first was against high-value US targets including US government officials, nuclear scientists, journalists, human rights campaigners, and think tank employees.
The next such attack was documented by Amnesty International as having been part of a campaign to break into the email accounts of over 1,000 human rights campaigners.
As we reported when Modlishka was released, on one level, it’s simply a tool that sits on the same server as a phishing site, capturing any credentials and 2FA tokens the user can be tricked into entering.
But instead of cloning the phished site – Gmail, for example, though it would work just as well in an attack against any service where the same authentication is in use – it behaves like a reverse proxy, cleverly feeding the user content from the real site to make an attack look more convincing.
To a user, it looks like they’re interacting with the real site because they are, albeit on a different domain.
Perhaps a more important question than “was it Modlishka” is this: If you can’t count on 2FA to protect you from phishing, what can you count on? This is an important question. As Life of Palos pointed out, there are YouTube creators whose livelihoods are at stake, here. Life of Palos talked to the owner of Built, for example: a man who recently quit his job to devote himself full time to his channel – a channel that’s been stolen, lock, stock and barrel.
What to do?
Two-factor authentication that relies on a manually-entered code offers a lot of security bang for your buck but it is primarily a defence against stolen, reused or easily guessed passwords rather than against phishing.
Successfully phishing credentials that include a 2FA OTP code is harder than just capturing a username and password, but it is not impossible. The difficulty for attackers is that OTP codes have a very short shelf life and can’t be stockpiled for later use. So, to succeed, an attacker has to find a way to grab and use the OTP code within a 30-second window.
There is a form of two-factor authentication that is much more resistant to phishing though: hardware tokens based on the FIDO U2F or WebAuthn specifications, such as Yubico’s Yubikey or Google’s own Titan.
Similarly, if you rely on a password manager (software that will create, remember and enter your passwords for you) it won’t enter your password into the wrong site, no matter how convincing it is.
LEARN MORE ABOUT HOW TO STOP PHISHING
Audio player above not working? Download MP3, listen on Soundcloud or on Apple Podcasts, or get it from Spotify.
(Watch directly on YouTube if the video won’t play here.)