{"id":21214,"date":"2023-06-06T20:59:08","date_gmt":"2023-06-06T16:59:08","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/youtubers-takeovers\/21214\/"},"modified":"2023-06-06T20:59:25","modified_gmt":"2023-06-06T16:59:25","slug":"youtubers-takeovers","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/youtubers-takeovers\/21214\/","title":{"rendered":"Hacking YouTube channels with stolen cookies"},"content":{"rendered":"

A couple of months ago, the popular tech blogger Linus Tech was hacked<\/a>. All three of his YouTube channels (the biggest of which boasts over 15 million subscribers) fell into the hands of cybercriminals, who began broadcasting streams with crypto-scam ads. How did the hackers manage to gain access to the channels? Didn\u2019t the famous tech-blogger protect his accounts with a strong password and two-factor authentication? Of course he did (at least, that\u2019s what he himself says<\/a>).<\/p>\n

Linus Tech fell victim to a pass-the-cookie <\/em>attack, a common method for targeting YouTubers. In this post we take a closer look at the objectives and motives behind such attacks, how hackers can access channels without knowing password and second factor, what Google\u2019s doing about it, and how not to fall victim to this attack.<\/p>\n

Why go after YouTube channels?<\/h2>\n

\nThe channels of well-known (and not so well-known) YouTubers are usually taken over either to demand a ransom<\/a> for their return, or to gain access to their audience<\/a> (as in the hack on Linus Tech). In the latter case, after hacking the channel, the attackers change the name, profile picture, and content.<\/p>\n

Thus, instead of a blog, say, about tech innovation, there appears a channel that imitates the account of some large company (most often Tesla) with the corresponding profile picture. After that, the attackers use it to stream recordings of Elon Musk expressing his thoughts about cryptocurrency. All other blog content is often removed.<\/p>\n

\"Streams

Streams with Elon Musk on a hacked channel. Source<\/a><\/p><\/div>\n

At the same time, a link to a site of a \u201cunique cryptocurrency promotion\u201d is dropped into the chat. For example, Musk himself is supposedly giving away cryptocurrency: to get their share, users are asked to transfer their coins to a certain wallet, after which they will get back twice as much.<\/p>\n

\"Streams

Streams with Elon Musk on a hacked channel. Source<\/a><\/p><\/div>\n

A curious detail: scammers often have the foresight to set restrictions in the chat: only users who\u2019ve subscribed to the channel for more than 15 or even 20 years can post messages (and it doesn\u2019t matter that not only this channel didn\u2019t exist then, but YouTube itself only appeared in 2005).<\/p>\n

Sure, this is an example of a typical scam we\u2019ve analyzed once<\/a> or twice<\/a> before.<\/p>\n

\"Transfer

Transfer your bitcoins to us and we\u2019ll give you back twice as many. Source<\/a><\/p><\/div>\n

The stream is quickly blocked by YouTube, along with the unfortunate blogger\u2019s channel, for \u201cviolating YouTube\u2019s Community Guidelines\u201d. And then the real owner faces the absorbing task of restoring their own channel and proving to the platform that it was not they who distributed links to fake sites and streamed scam ads.<\/p>\n

In the case of Linus Tech, with his 15 million subscribers, this was relatively easy to do. His channel was restored within hours, though he did lose that day\u2019s monetization. How long a YouTuber with a smaller audience would need to rectify the situation, and whether it would be possible at all, are questions you don\u2019t want to get an answer to from your personal experience.<\/p>\n

Hijacking a channel without the password<\/h2>\n

\nTo hack a YouTube channel, there\u2019s no need for attackers to steal any credentials. Getting their hands on session tokens will suffice. But first things first\u2026<\/p>\n

A typical attack on a YouTube channel begins<\/a> with an email to the blogger seemingly from a genuine company proposing collaboration; this can be a VPN service, a game developer or even an antivirus vendor. There\u2019s nothing suspicious in the first email, so the member of the blogger\u2019s team replies with a standard message detailing their product placement fees.<\/p>\n

The next email is far less innocent. In it, the scammers send<\/a> an archive supposedly containing a contract, or a link to a cloud service to download it, as well as the password for this archive. To make the email more convincing, the attackers often add a link to a website or social network account affiliated with the product they want the blogger to \u201cpromote\u201d. The link can point either to the site of a bona fide company, or to a fake page<\/a>.<\/p>\n

Email with a link to download an archive with a \"contract\".

Email with a link to download an archive with a \u201ccontract\u201d. Source<\/a><\/p><\/div>\n

If the blogger or their employee is not careful and unzips the archive, they\u2019ll find one or more documents that may look like regular Word or PDF files. The only odd thing is that all the files are quite large (more than 700MB), which makes it impossible to scan them for threats using a service like VirusTotal<\/a>. Many security solutions will skip them for the same reason. Opening the files with special tools for analyzing executables reveals the presence of very many empty spaces, which is what makes these documents so big.<\/p>\n

Of course, hiding inside the file that looks like an innocent contract is a whole host of malware. Aware of the problem, Google analyzed<\/a> such attacks and identified the various types of malware used. Among them was the RedLine Trojan stealer<\/a>, which has been blamed<\/a> by many YouTubers for their misfortunes lately.<\/p>\n

Attackers use this malware to achieve their main aim of stealing session tokens from the victim\u2019s browser. With the help of session tokens or cookies, the browser \u201cremembers\u201d the user, allowing them to avoid going through the full authentication process each time with a password and second factor. That is, stolen tokens let cybercriminals impersonate authenticated victims and log in to their accounts without the credentials.<\/p>\n

What about Google?<\/h2>\n

\nGoogle has been aware of the problem since 2019. In 2021, the company published a major study entitled Phishing campaign targets YouTube creators with cookie theft malware<\/a>. Google\u2019s Threat Analysis Group investigated the social engineering techniques and malware deployed in such attacks.<\/p>\n

Following the study, the company announced it had taken a number of steps to protect users:\n<\/p>\n