A targeted spearphishing campaign launched by cyber criminals has resulted in the compromise of a large number of accounts belonging to popular YouTube personalities catering to a variety of genres such as automotive, music, gaming, and technology.
In January this year, security researchers at Risk IQ discovered a widespread phishing scam that involved the use of fake profiles of popular YouTube personalities to lure their fans into sharing their personal information to receive free gift cards and iPhones purportedly offered by the stars themselves.
Spammers behind the phishing campaign created fake profiles of popular YouTube personalities such as James Charles, Philip DeFranko, The ACE Family, Jeffreestar, Tati, ASMR Darling, and Through Ryan's Eyes and used such profiles to send friend requests to hundreds of thousands of YouTube users, many of whom accepted such requests believing that the requests came from genuine profiles.
Recently, ZDNet revealed the presence of another spearphishing campaign involving YouTube, except that instead of using fake profiles of YouTube personalities to phish millions of their fans, cyber criminals are targeting YouTube personalities themselves using a tried-and-tested phishing technique.
Primarily aimed at the YouTube creators car community, the technique involves cyber criminals sending phishing emails to YouTube stars containing links that redirect them to fraudulent websites where they are asked to fill in their YouTube login credentials.
The cyber criminals then harvest such credentials from the fraudulent websites, use them to break into victims' Google accounts, re-assign hijacked YouTube accounts to new owners, and change the channel's vanity URL to make channel owners believe that their accounts have been deleted.
Spearphishing campaign targeted YouTube accounts across many genres
According to ZDNet, the hackers were even able to break into Google accounts of YouTube stars that were protected by two-factor authentication, indicating that the hackers may have been actively using reverse proxy-based phishing toolkits to bypass 2FA in targeted accounts.
Askamani, a hacker who is a regular at OGUsers (a forum used to trade hacked and stolen online credentials by cyber criminals) told ZDNet that the spearphishing campaign targeting the YouTube creators car community could have been the result of hackers gaining access to a database containing contact details of YouTube stars in that genre.
"These campaigns targeting car accounts are something normal. Means someone got their hands on an email list with addresses from a specific sector. My money is on someone hacking into one of those social media influencer databases," Askamani told ZDNet.
"You can spam random people all you like, but you won't get access to accounts with good subs [subscribers]. If there's a spike in complaints, as you said, then someone got their hands on a real nice database and their now getting a bang for their buck.
"I'd keep my eye on OGUsers and the Russian forums if I were you. Those accounts need to be dumped really quick before YouTube gives them back to their original owners. "You need to sell hacked accounts real quick before they become worthless, Askamani added.
Cyber criminals continue to exploit the weakest link in cyber security
Even though the automotive community on YouTube was specifically targeted, social media activity in recent days has revealed that the spearphishing campaign ended up compromising YouTube accounts of personalities catering to other genres such as music, gaming, and technology as well.
"The recent phishing attacks on YouTube are an escalation of a classic scheme, in which users are lured to fake login pages, where they enter legitimate credentials. Cybercriminals are always looking for the weakest link in the cybersecurity protecting valuable assets; in this case, it was users," says Jonathan Knudsen, senior security strategist at Synopsys.
"The best proactive defence against such attacks is education. With the right knowledge, fewer users would have fallen victim to these attacks.
"The fact that users were the target of these attacks indicates that Google has done well in securing YouTube. Any proactive security-focused organisation following secure development practices, using security testing tools such as static analysis, software composition analysis, and fuzz testing, will build more robust, more secure systems and applications. Consequently, attackers will focus on the weakest area, which is often user interactions with the system," he adds.