Popular YouTube channels took a hit last weekend when a series of accounts were hijacked by cyber criminals. It seems that the attacks were a coordinated campaign that managed to bypass 2-factor authentication.
This wave of attacks seems highly coordinated and focussed on YouTube creators in the car community. Some users were unable to log into their YouTube accounts and quickly suspected that something malicious had occurred.
The hackers used phishing attacks to steal private credentials of YouTube channel owners. Hackers sent emails that lured them to phishing sites that looked like Google login pages. The duped channel owners then entered their YouTube login details and hackers used the information to re-assign the channels to new owners.
Hackers also changed the ‘vanity URL’ of the channel, which made it look like the channel and the account had been deleted. Attackers then allegedly sold the channels on darknet forums, where hackers sell access to hacked accounts. A lot of the deleted channels are still yet to be found, but some channel owners managed to get the deleted content back.
These types of attacks are relatively frequent in the YouTube community, but it seems that in this case the hackers had got hold of an influencer database and knew which channels to target.
The main concern that many channel owners had was that the hackers were able to bypass two-factor authentication that had been set up on their accounts. Some channel owners thought that hackers may have used a reverse proxy-based phishing tool such as Modlishka to carry out the attack.
It initially seemed that the account hijacking incidents were not related, but it became clear that it was targeted and was launched in order to steal certain accounts. It is unclear how many accounts were affected, but some of the channels affected were Built, troysowers and maxtcheckvids.
Do you follow any of the affected accounts? Let us know by tweeting us @hyve!