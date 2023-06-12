June 12, 2023 08:30 am | Updated June 11, 2023 10:28 pm IST

The story so far: On June 5, veteran Indian journalist Barkha Dutt said the email and YouTube channels of her digital news platform The Mojo Story were hacked by cybercriminals. Upon gaining access to the channel, the hackers deleted the videos. YouTube froze the account after receiving a complaint from the journalist. The account with all its content was later retrieved. Accounts of comedian Tanmay Bhat and YouTuber Abdu Rozik were also reportedly compromised. While the content of these YouTube channels differ, they had one thing in common — a high subscriber count. Tanmay Bhat’s YouTube channel had around 4.4 million subscribers and other channels had well over 500k subscribers.

Why do hackers target YouTube content creators?

Hackers attack such accounts to demand a ransom in return, or to gain access to the accounts’ audience base to distribute scam links or other malware. When hackers intend to use stolen YouTube accounts to distribute links to malicious websites or malware, they change the name, profile, and content of these channels often imitating the accounts of a larger company or well-known individuals to increase the scope of the attack. Hackers also tend to remove content from the original publisher, posting content that lures subscribers to click on malicious links shared by them.

Attackers also place restrictions or disable comments entirely on hacked channels. Conditions could include only allowing subscribers who have subscribed to the channel for 15 or even 20 years to post messages. The hackers also ensure the original owner of the channel is unable to warn subscribers in the comments.

How do threat actors hijack YouTube channels?

Hackers do not need to steal any credentials to compromise such channels. They can make use of socially engineered phishing campaigns to access and use session tokens to compromise accounts. Cookie theft or attacks to steal session tokens have been around for some time now, and are also known as “pass-the-cookie attacks”, Google’s Threat Analysis Group shared in a blog post.

A typical attack begins with an email, pretending to be from a genuine company to a blogger. The first email does not contain any suspicious links or files and is used to lure victims into a false sense of security by proposing product placement and collaboration opportunities. Subsequent emails are used to share zipped folders or links to a cloud service masquerading as contracts or important information. These zip folders contain malware and are often masked by Word or PDF files, along with fake forms. Malware protection software and mail servers are unable to scan these files for viruses and malware due to their large size. The virus is delivered to the victim’s system when the folder is unzipped to access the files within. The malware contained within the files is then used to steal session tokens from the victim’s browsers, which in turn are used to access the victim’s account. Most of the shared malware is capable of stealing both user passwords and cookies, Google said.

Hackers make use of browsers “remember” feature with the help of stolen session cookies, thereby bypassing the need for login credentials. Thus, they are able to gain control and access the victim’s account without the need for credentials or two-factor authentication. Session cookies are composed of data created by a server and shared with the user’s browser to authenticate the user. Cookies are stored by the users’ browser and shared with the server to authenticate the user — removing the need for login credentials every time the user visits their user account.

Cloud links are similarly used by attackers to gain access to victims’ session tokens to bypass the need for login credentials.

What is Google doing to stop such attacks on YouTube creators?

Google, in 2021, said it is continuously trying to improve its detection methods with tools and features that can automatically identify and stop threat actors. YouTube has also implemented features and protections to make channel transfer more stringent. Additionally, the platform has also implemented features for the auto-recovery of hijacked accounts. However, judging by the reported incidents and comments of YouTubers it seems that these measures may not be enough. YouTubers have complained that the platform does not require users to enter their password or two-factor authentication code to change profile pictures and remove all videos from the channel.

How do we improve security?

Content creators can take measures to reduce the probability of their YouTube accounts being hijacked by threat actors. Some of these measures include knowing and identifying typical signs of phishing attacks, being aware of social-engineering attacks, not following suspicious links, especially those from unverified sources, and not downloading archived attachments from untrusted sources.

