Over the past few days, a massive wave of account hijacks has hit YouTube users, and especially creators in the auto-tuning and car review community, a ZDNet investigation discovered following a tip from one of our readers.
Several high-profile accounts from the YouTube creators car community have fallen victim to these attacks already. The list includes channels such as Built [Instagram post, YouTube channel], Troy Sowers [Instagram post, YouTube channel], MaxtChekVids [YouTube channel], PURE Function [Instagram post, YouTube Support post, YouTube channel], and Musafir [Instagram post, YouTube channel].
But the YouTube car community wasn't the only one targeted. Other YouTube creatorss also reported having their accounts hijacked last week, and especially over the weekend, with tens of complaints flooding Twitter [1, 2, 3, 4, 5, 6, 7, 8, 9, and many more] and the YouTube support forum [1, 2, 3, 4, 5, 6, 7, 8, 9, and many more].
Coordinated campaign bypassed 2FA
The account hacks are the result of a coordinated campaign that consisted of messages luring users to phishing sites, where hackers logged account credentials.
According to a channel owner who managed to recover their account before this article's publication and received additional information from YouTube's staff, we got some insight into how the full attack chain might have gone down.
- Hackers use phishing emails to lure victims on fake Google login pages, where they collect users' account credentials
- Hackers break into Google accounts
- Hackers re-assign popular channels to new owners
- Hackers change the channel's vanity URL, giving the original account owner and his followers the impression that their account had been deleted.
Some users reported receiving individual emails, while others said they received email chains that included the addresses of multiple YouTube creators, usually from the same community or niche.
This is what appears to have happened with the phishing attacks that targeted the YouTube creators car community, according to a YouTube video from Life of Palos, uploaded over the weekend -- see 01:50 video mark.
The same Life of Palos also reported that hackers were capable of bypassing two-factor authentication on users' accounts. He suggested that hackers might have used Modlishka, a reverse proxy-based phishing toolkit that can also intercept 2FA SMS codes.
However, this is only hearsay, and there is no actual evidence to confirm that hackers used Modlishka specifically. There are plenty of reverse proxy-based phishing toolkits around that can do the same.
Nevertheless, Ryan Scott, the owner of the PURE Function YouTube channel confirmed he used two-factor authentication on his account, validating that hackers did bypass 2FA on some of the hacked accounts.
Google did not return a request for comment.
Hackers need to sell the accounts quick
ZDNet also spoke with a hacker named Askamani, active on OGUsers, an internet forum known for trafficking access to hacked accounts, including YouTube.
The hacker said that the campaign that targeted members of the YouTube car community has all the signs of "regular business."
"These campaigns targeting car accounts are something normal," Askamani told ZDNet. "Means someone got their hands on an email list with addresses from a specific sector. My money is on someone hacking into one of those social media influencer databases."
"You can spam random people all you like, but you won't get access to accounts with good subs [subscribers]," the hacker said. "If there's a spike in complaints, as you said, then someone got their hands on a real nice database and their now getting a bang for their buck."
"I'd keep my eye on OGUsers and the Russian forums if I were you. Those accounts need to be dumped really quick before YouTube gives them back to their original owners," Askamani said. "You need to sell hacked accounts real quick before they become worthless."