By now, many of you have likely seen or heard about YouTube channels getting hacked, and used to promote scam crypto live streams usually featuring Elon Musk in some kind of free giveaway of crypto. But the methods these hackers are using can take over any YouTube Channel. Unfortunately, this attack bypasses Two-Factor Authentication. This article will explain how this is done, other methods used, and preventative measures you can take to prevent these attacks. Regardless if you’re a content creator.
Scam Live Streams.
The result of these attacks ends in Live Streams, which are scams. Usually featuring some kind of famous crypto figure or Elon Musk pertaining to Tesla. It’s usually involving some sort of free giveaway where you can get free money, of course. But the channels where these streams are happening are accounts that have been taken over and made to look legitimate. While you may wonder how many channels are hijacked, it turns out that several channels frequently stream including those with large amounts of subscribers. The largest channel I found hijacked has four million subscribers. When returning to the channel later that week, it turned out to be a YouTube channel that reviews toys and such along with many more. To find these, all that was done was to search “Tesla live streams” on YouTube and scroll down. While I might exaggerate when I say these channels are taken over, that is the case. The channel name, profile picture, and even the new @ handle which changes the URL. Any videos that the creator previously uploaded to their channel are then made private, which gets rid of any previous content indicating what the channel used to be. The way that you can find any previous content is by using the channel ID. A YouTube channel ID is a unique identifier of a YouTube channel. This ID can be used in social applications or services to display YouTube information or feeds. Additionally, channel IDs do not change. The way that you can tell if a channel has been hacked is by going to the page’s Source Code, searching for “channelid,” looking for the channel ID, which begins with “UC” followed by 24 characters, and then you can just copy it and search for it on Google which might contain the old channel. This is because Google might not have Cached it out, or another website mentions it. When the scammer starts the stream, they will usually try and make it look legit by botting views and buying likes. This is done to make it look legit to those who happen to find it. I’m assuming because of channels with several subscribers YouTube will maybe recommend the video not just to subscribers, but also to other people who don’t know that the views are fake. Another clever method that’s done to prevent anyone from being able to call out the scam in the comments is the live chat is set to “Subscribers-Only mode” for those subscribed for 15+ years. For most channels, this effectively means nobody can comment. The scam also involves a pinned comment that contains a link that looks legitimate. Even though it isn’t. The link states that if you send this amount of Bitcoin, you’ll double your money. This scam dates back to the early 2000s when people would simply steal something promising to double their amount. Why people are still falling for this? I have no clue.
Google’s Lack of Security.
This is where Google and YouTube have to take some blame because as I mentioned, the hacker is not only able to get into your account but also effectively completely take over it and lock you out even if you have Two-Factor Authentication enabled. This method uses cookie stealing or session hijacking. What happens is the YouTuber gets infected by Malware, and then this malware will go and find the cookie in your browser, which has the logged-in session. After you’ve logged in, your browser makes a cookie to keep you logged in. The virus then steals that cookie and sends it to the hacker, which allows them to stay logged into your account. This bypasses entering your login credentials and Two-Factor Authentication. Once the hacker is logged in, they’ll change your password, and even change your Two-Factor Authentication methods. It also seems that there’s a lack of security in general. After testing out whether or not Google would ask for my password when taking sensitive actions. As a result, it seems that there’s more work to be done.
How Malware Contributes.
Keep in mind not only does this affect creators, but it can also affect anyone. As mentioned earlier, the malware is specifically designed to target browsers and session cookies. In most cases, the type of malware that’s used is called Redline Stealer. Google has been aware of this type of attack since 2021. Additionally, this malware has tricks to avoid detection. For example, it is going to contain a very large file size filled with unnecessary junk data to prevent you from uploading it to certain virus-detecting websites such as VirusTotal, and it will also slow down or block local antivirus programs from scanning it, just from being too big. Additionally, these viruses don’t have the entire virus payload in them right away. After you’ve run the virus, it then downloads the payloads in order to avoid detection. Some of these viruses also use anti-sandboxing properties, such as having a fake pop-up appear that needs to be clicked by the user. This is done in order to prevent the program from being run in a Virtual Machine
Fake Sponsorships.
The techniques that are used are to specifically target creators and end-users. The one that targets YouTubers is usually a fake sponsorship of some kind, where they’ll reach out with probably a legitimately looking offer, and then after you interact, they’ll send you a media kit or some kind of document that you’re supposed to open or run. But of course, it ends up being the virus. One example I’ve seen that I have to admit was extremely clever is they used a “.com” executable file, which is basically the same as a .exe, but people aren’t as familiar with the .com file. The file in question would be named “contract for youtube.com.” So it would seem like the file name was just referencing youtube.com, but that was the actual file extension that was signaling it’s a program, not a document. In my time as the Editor of my school newspaper, I have been contacted by these types of scams before. But not recently. Ways I’ve determined whether an e-mail is a scam or not by looking up the domain’s registration date.
Fake Download Sites.
The next method that scammers use targets anyone by using fake download sites. Recently, there’s been talk about how even Google ads are being overrun by scammers who are advertising fake downloads of free software. So when people search for them, a fake domain will come up and it’ll actually download a virus. Sometimes this is indirectly targeting creators with software like OBS, which is a streaming software. This also targets software used on a daily basis. Since this has been so common these days, I’ve been skeptical of downloading programs. As an alternative, I’ve searched for the site on Reddit, and compared links to websites on Google.
Some Tips to Use!
In the event that a download website you’re visiting is compromised, make sure that the website is legit. Because you’re going to run whatever you download. But if you get a file from someone, first check the file type and make sure that it makes sense. However, do not rely on the file extension for that. I’ve previously mentioned that some viruses use a technique where there’s a special Unicode character that can reverse text direction. This is used to spoof the file extension, even if you have viewing file extensions enabled. What you can do is in Windows File Explorer, by default, it should have a file type column. It’ll specify whether or not the file is an application or a PDF. You can also right-click the file and go to “Properties”. But if you do not recognize the type of file extension, DO NOT run it. The reason being is that there are a lot of file extensions that many people don’t recognize. Finally, if you can, of course, scan it with an antivirus or upload it to VirusTotal, which will scan it with multiple antiviruses if the file is small enough. But remember even scanning it with antivirus is not a guarantee. These hackers are smart. So the best resource to use is knowledge.
For those who recently stopped by, please visit my main site and read the latest announcement.