YouTube, the world’s top provider of multimedia services, is fertile ground for massive cybercrime campaigns. Malicious actors primarily think of it as a shortcut to extending their evil reach while treating its numerous fans as potential victims. A YouTube channel boasting a large user audience fits the mold of a classic target for black hats. By hacking it, they can upload fraudulent content that pushes online scams or malware on a large scale.
The good news is, YouTube leverages rock-solid defenses against exploitation, with its intelligent algorithms identifying common forms of foul play in a snap. However, perpetrators are increasingly adept at circumventing these obstacles.
Instead of trying to break the security backbone of the media giant – which is hardly feasible – hackers focus on executing social engineering attacks that target YouTubers. If a channel owner is duped into disclosing their sign-in credentials, a treacherous post-exploitation scenario comes into play.
YouTube Hacks Underlie a Soaring Cybercrime Economy
Security analysts at IntSights have recently shined the light on the inner workings of the Dark Web underground that trades stolen YouTube credentials. According to their findings, this information is being growingly put up for sale on hacker forums and it is in demand among cybercrooks.
Unsurprisingly, the subscriber count is the fundamental variable for calculating the cost of these credentials, and the trade workflow is much like a regular auction. A channel with 200,000 subscribers is offered for at least $1,000, and the bidding logic implies a step of $200. The authentication details for more popular accounts are sold at proportionally higher prices and bidding steps.
In some scenarios, malefactors offer credentials for bundles of multiple smaller YouTube channels. Researchers spotted one of these wholesale initiatives on a forum thread offering access to nearly a million channels for an initial price of $1,500. A buyer who did not mind paying $2,500 could get the package with no contest.
This suggests that the seller was attempting to make a quick buck. Speaking of which, touting sign-in data at a low cost before victims report account takeover to YouTube and reclaim access is a usual tactic in cybercrime circles.
One more thread advertised a batch of nearly 700 active channels. The starting price was $400, and the bidding step was set to $100. To purchase those details without further ado, an interested party was required to pay $5,000.
The shady pricing approach is further illustrated by another ad where a hacker was selling access to 25 channels, five of which had more than 100,000 active subscribers. The trade process started at $600 and the step amounted to $100. Anyone willing to pay $2,500 could get the whole bundle without contest.
To get hold of YouTubers’ credentials, criminals typically combine social engineering with computer infections. In many cases, they orchestrate malware campaigns that hinge on phishing pages riddled with malicious payloads.
Hackers often portray themselves as potential sponsors and contact channel owners with lucrative business offers. This way, they bait gullible users into going to sites that quietly drop an info-stealing Trojan onto the devices. Then, the harmful code harvests usernames and passwords as they are being entered in login forms.
The use of two-factor authentication can raise the bar for threat actors. A disconcerting thing in this regard is that the sellers of YouTube account credentials hardly ever mention 2FA in their offers, which means that most users do not bother enabling it.
SpaceX Channel Mimicked in a Recent Scam
Elon Musk’s revolutionary tech projects, including SpaceX, have been creating ripples around the world for years. It comes as no surprise that some cyber perpetrators are piggybacking on this hype to set their stratagems in motion. In June 2020, criminals reportedly hacked a trio of viral YouTube channels and uploaded materials advertising a rogue cryptocurrency offer.
The biggest catch was that this pseudo-deal was purportedly endorsed by Musk. Another decoy element was that the original content got a dodgy overhaul to resemble the legitimate SpaceX channel.
The breached channels (“Juice TV,” “Maxim Sakulevich,” and “Right Human”) have 27,000, 130,000, and 238,000 active subscribers, respectively. Attackers renamed them to “SpaceX” or “SpaceX Live.” When the hack was in full swing, the only content hosted on these accounts was a Musk interview and the recordings of a recent SpaceX press conference.
The phony cryptocurrency investment opportunity boiled down to submitting 0.1-20 bitcoins to a particular BTC wallet address, which would supposedly allow users to earn twice the amount immediately and with no strings attached.
Although this deal would make any vigilant user suspicious, the fraudsters received more than a hundred transactions in only two days. Wannabe investors sent them about $150,000 worth of cryptocurrency, only to bid farewell to their funds at the end of the day.
Sadly enough, a random video featuring a celebrity plus an eye-catching scam offer can be enough to hoodwink people into losing a fortune. The SpaceX channel impersonation plot was a clever fusion of social engineering and account hacks. On a side note, fake cryptocurrency deals are increasingly common these days and should be treated with caution no matter how trustworthy they appear.
How to Step up Your Channel’s Security
YouTube account compromise is a growing trend among black hats, and therefore users should proactively thwart this form of exploitation. The following recommendations will help you protect your channel against a takeover.
- Avoid using easy-to-guess access credentials. Specify a strong password and consider installing a reliable password manager that automates and secures the sign-in process.
- Enable a feature called Password Alert. Once you do, you will receive a notification whenever you type your password on a website unrelated to Google – for instance, a phishing page disguised as YouTube.
- Turn on two-factor authentication using different devices.
- Do not share your sign-in credentials with anyone. Keep in mind that YouTube never asks for these details.
- Enter valid contact information for account recovery, including your email address and telephone number.
- Refrain from clicking on dubious-looking links in emails or pop-up ads.
- Do not download software from unfamiliar sites.
- When an update is available for your operating system or a third-party application, be sure to apply it as it may include vulnerability patches that prevent hackers from gaining a foothold on your device.
An extra important tip is to go over the permissions on your YouTube channel. If you permit another person to access and manage it, make sure you do not delegate privileges they do not need. Roles such as “Editor” or “Manager” should not be granted left and right. This precaution helps minimize the damage if the user slips up and discloses their credentials to a scammer.