Over the past few days, a massive wave of account hijacks has hit YouTube users, and especially creators in the auto-tuning and car review community, a ZDNet investigation discovered following a tip from one of our readers.
Several high-profile accounts from the YouTube creators car community have fallen victim to these attacks already. The list includes channels such as Built [Instagram post, YouTube channel], Troy Sowers [Instagram post, YouTube channel], MaxtChekVids [YouTube channel], PURE Function [Instagram post, YouTube Support post, YouTube channel], and Musafir [Instagram post, YouTube channel].
But the YouTube car community wasn’t the only one targeted. Other YouTube creatorss also reported having their accounts hijacked last week, and especially over the weekend, with tens of complaints flooding Twitter [1, 2, 3, 4, 5, 6, 7, 8, 9, and many more] and the YouTube support forum [1, 2, 3, 4, 5, 6, 7, 8, 9, and many more].
Coordinated campaign bypassed 2FA
The account hacks are the result of a coordinated campaign that consisted of messages luring users to phishing sites, where hackers logged account credentials.
According to a channel owner who managed to recover their account before this article’s publication and received additional information from YouTube’s staff, we got some insight into how the full attack chain might have gone down.
- Hackers use phishing emails to lure victims on fake Google login pages, where they collect users’ account credentials
- Hackers break into Google accounts
- Hackers re-assign popular channels to new owners
- Hackers change the channel’s vanity URL, giving the original account owner and his followers the impression that their account had been deleted.
Some users reported receiving individual emails, while others said they received email chains that included the addresses of multiple YouTube creators, usually from the same community or niche.
This is what appears to have happened with the phishing attacks that targeted the YouTube creators car community, according to a YouTube video from Life of Palos, uploaded over the weekend — see 01:50 video mark.
The same Life of Palos also reported that hackers were capable of bypassing two-factor authentication on users’ accounts. He suggested that hackers might have used Modlishka, a reverse proxy-based phishing toolkit that can also intercept 2FA SMS codes.
However, this is only hearsay, and there is no actual evidence to confirm that hackers used Modlishka specifically. There are plenty of reverse proxy-based phishing toolkits around that can do the same.
Nevertheless, Ryan Scott, the owner of the PURE Function YouTube channel confirmed he used two-factor authentication on his account, validating that hackers did bypass 2FA on some of the hacked accounts.