Account hijacking campaign hits a large number of YouTube influencers

A coordinated phishing campaign hit a yet unknown number of prominent YouTube influencers specializing in gaming, car industry, tech, and other topics

Multiple high-profile YouTube creators got their accounts hacked due to a sophisticated and targeted phishing campaign

Over the weekend, some users found out that they are unable to login to their Google and, subsequently, YouTube accounts. As it turns out, a massive phishing campaign was launched by an unknown group of hackers who mostly targeted popular influencers from various industries (tech, gaming, music, Disney, etc.), although automotive industry channels were affected the most, as reported by ZDNet.

While initially the YouTube account hijacking incidents were not tied up to each other, it quickly becomes clear that a targeted attack was launched in order to steal particular accounts. It is yet unclear how many accounts were affected, but among the victims are the most famous names on YouTube: Built, troysowers, maxtcheckvids, purefunction_, and others.

YouTube account hacks were possible due to phishing campaigns – the attackers sent out phishing emails to the influencers' accounts which led them to spoofed sites, asking for their Google login credentials, which were then used to hijack YouTube accounts. Most of the affected users were rushing to announce the hack on Instagram,^[1] Twitter, and YouTube support forums.

The unfortunate side of the hack is that YouTube channels got deleted and followers could no longer view the videos of their favorite personalities on YouTube anymore.

The attackers managed to bypass two factor authentication

While most of the affected users' YouTube channels are still nowhere to be found, others already managed to get the deleted content back. According to one such user, after regaining the access to his account, he also got some insights about the hack itself from the YouTube support staff.

Phishing emails were sent out to a multitude of high-profile YouTube creators which consisted of links that lead to spoofing Google sites. According to the ZDNet report, some users got an individual email while others got chains of them, usually asking them to visit channels of members of the same community (i.e., car review channel). Once links were clicked, the spoofed pages prompted users to enter their Google login credentials.

In such a way, attackers managed to hijack Google account of victims. This allowed them to log in to their YouTube accounts, reassign the owner, and change the vanity name of the creator, which consequently made it seem like the account no longer exists.

According to Life of Palos who posts a video^[2] about the chain of hacks affecting multiple YouTube influencers, some of the stolen accounts had two-factor authentication enabled on their accounts, which means that hackers must have used some type of tool that bypasses the function. As reported, the suspected application is Modlishka,^[3] although it is just a speculation, as there are numerous hack tools available for such activities.

An underground forum member claims that the attackers got the hold of a niche database

ZDNet managed to get hold of an OGUsers (a site often used to sell the hacked accounts) forum member and a hacker under the pseudonym Askamani. According to him/her, these type of hacks are a relatively normal occurrence, and that the campaign was managed by somebody who got hold of the “influencer database.”

Sending phishing emails to random users will rarely result in a hijack of high-profile accounts with high subscriber count. Therefore, a database which consists of high-profile YouTube and other social media accounts is the most likely culprit:^[4]

You can spam random people all you like, but you won't get access to accounts with good subs. If there's a spike in complaints, as you said, then someone got their hands on a real nice database and their now getting a bang for their buck.

According to Askamani, security researchers should dig into Russian forums, along with OGUsers site, in order to track and possibly get to the attackers. Accounts need to be sold as soon as possible before YouTube gives them back to the original owners.

The main reason for account hacks – human factor

YouTube is not the only platform where hijacks of accounts take place. Instagram, Twitter, Facebook, and many others constantly suffer from cybercriminal attacks. While the methods of stealing a social media account may vary, there is almost always a way to protect your account from threat actors who seek profits or personal information.

While some of the attacks might be extremely sophisticated (the YouTube account hack is believed to be one of them), the main vector is still human.^[5] Sometimes spotting a phishing attack might be difficult, even for a trained eye. For example, hackers could use email spoofing, a valid SSL certificate on a fake site,^[6] and many other techniques.

Users should always employ two-factor authentication method, regardless if it were used in the earlier and current campaigns. Finally, employing comprehensive security tools along with a vigilant outlook on received emails could prevent most of the hacks.