Davey Winder at Forbes analyses the coordinated attack. James Houghton, Phishing Tackle CEO Comments.
This weekend, successful YouTube channels have been the target of what looks to be a well coordinated and “massive” attack
“Influencers” are the target
The primary target of the attack appears to be “influencers”, who across the various channel genres have been hit the hardest. Many have turned to Twitter, outraged at the loss of access to their channel. There have now been more than 23 million YouTube channels hit, so regardless of genre all creators should take notice.
How the attack works
Emails are sent to people to be targeted from a list of YouTube influencers, luring them to a fake Google login page. This is used to harvest their Google account credentials which then give the attacker access to YouTube accounts. These are then transferred to a new owner and the vanity URL changed. The actual owner of that channel and those who subscribe to it are left thinking the account has been deleted.
The attackers target the victims channel from a list of YouTube influencers, sending an email to them which coerces into clicking a fake google login page. From this page the attackers harvest credentials used to access the influencers’ channel. After which they are transferred to a new owner and the vanity URL changed. Once this has been done, the channel owner and any of its subscribers will believe the account has been deleted.
According to a report by ZDNet, a significant number of affected users were employing two-factor authentication (2FA) as an additional security measure. A possible explanation for this is that the hackers used a reverse proxy toolkit, such as the popular Modlishka phishing package, to intercept SMS messages containing 2FA codes.
“This is an extremely impressive and coordinated attack, potentially using man-in-the-middle or reverse-proxy based interception[…] but the vulnerability here is still the human[…] this attack relies on an individual clicking and following a click before checking the basics”James Houghton – CEO, Phishing Tackle
Measures you can take to safeguard you YouTube account
One standout was the URL of the fake page, which was not “looked at with enough vigilance,” says Houghton, as it would likely be obfuscated in some way and appear different from the original Google account page. It was not so long ago that the lack of the HTTPS certificate on the site, with the green padlock displaying would be enough to catch the users attention and caution levels to rise. Things are quite different now, and “the removal of Extended Validation (EV) information in the address bar,” makes it much harder to spot. This isn’t to say an SSL certificate guarantees the authenticity of a website (over 70% of new phishing sites found use SSL); it just means that the site owner has protected the communications channel between channel and browser.
Even though 2FA appears to have been circumvented for at least some of these YouTube account attacks; Jake Moore, Security Specialist for ESET, says that it’s still essential that “every account you own should utilize 2FA.” However, this should “ideally be an authenticator app rather than a code sent over SMS.”
Davey Winder has approached Google for a statement regarding the frequency and success of YouTube accounts. In the meantime, if your YouTube channel has been impacted by this attack wave, then you can start the account recovery process here.