It has been reported that a coordinated phishing campaign hit a yet unknown number of prominent YouTube influencers specialising in gaming, car industry, tech, and other topics. YouTube account hacks were possible due to phishing campaigns – the attackers sent out phishing emails to the influencers’ accounts which led them to spoofed sites, asking for their Google login credentials, which were then used to hijack YouTube accounts.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The massive YouTube account takeover attack demonstrates just how effective and detrimental a phishing email can be. By sending convincing emails to YouTube influencers directing them to a seemingly legitimate Google login page, hackers are attempting to steal login credentials and take over accounts.
To stop attacks like this, the first essential step is to prevent malicious emails from ever entering inboxes. It’s just not realistic to expect the receiver to accurately identify and ignore phishing emails, as these messages are often highly convincing and indistinguishable from legit emails. Most email defenses will focus on the content of the messages and the links they contain, but by focusing on authenticating the identity of the sender, more than 83% of malicious emails can be stopped in their tracks. Properly enforcing DMARC and implementing advanced anti-phishing solutions that validate sender identity can add a crucial defensive layer to stop these types of attacks.
While SMS 2-factor authentication is better than no second factor, this incident is still a reminder of its weaknesses which is why NIST stopped recommending its use back in 2016. It is important that the industry moves towards newer tools such as time-based One-time Password (TOTP), which recycles numbers every 30-90 seconds on a physical device, or Universal 2nd Factor (U2F), such as Yubikey, given that attacks like this will only become easier to execute over time.
The recent phishing attacks on YouTube are an escalation of a classic scheme, in which users are lured to fake login pages, where they enter legitimate credentials. Cybercriminals are always looking for the weakest link in the cybersecurity protecting valuable assets; in this case, it was users.
The best proactive defence against such attacks is education. With the right knowledge, fewer users would have fallen victim to these attacks.
The fact that users were the target of these attacks indicates that Google has done well in securing YouTube. Any proactive security-focused organisation following secure development practices, using security testing tools such as static analysis, software composition analysis, and fuzz testing, will build more robust, more secure systems and applications. Consequently, attackers will focus on the weakest area, which is often user interactions with the system.
This well-coordinated attack on influencers combines a simple methodology like phishing with advanced techniques like reverse proxy. Phishing remains a popular methodology because bad actors can count on many users to click indiscriminately. Add to this – new techniques to spoof widely used websites and intercept credentials, and you have the ingredients for a well-oiled machine for spying on, stealing from, and misinforming consumers. Users must pay greater attention to what they click on, whether those links are on trusted sites or in emails. Website owners should use more robust two-factor authentication methods like those requiring physical keys, and closely monitor their sites on the client side. The fact that new techniques like reverse proxy make it easier for even less savvy hackers to conduct their own campaigns will make these attacks more prevalent.
So far, the ultimate goal of the attack is unknown, however it clearly disrupted the service as many account owners couldn’t access their profile. It is not clear whether they monetized that disruption or if the ultimate goal was simply to attack those influencers. The fact that the victims were influencers could mean that the attacker was looking for media outreach; nothing like an influencer to make your attack popular!
In any case, as the ZDNet investigation points out, it was deployed with well-known techniques such as phishing. To combat against this, users should never click on links or open attachments from unknown senders, and should check the spelling of the sender’s name to ensure it is correct.
Companies like YouTube need to have better tools to protect their users to reduce the chances of an attack. Two-factor authentication was not enough, as attackers reportedly used a tool like Modlishka to intercept SMS codes. In this case, the reliance on user credentials was the main authentication gap – whether a password, a security question or a one-time code. Those require static credentials that are deterministic; they are correct, or they are not – there is no grey area.
Today’s user authentication needs to also look at behavioral patterns to determine the legitimacy of each login, as this uncovers if a login’s behavior is expected for a user or not. Companies who are adding behavioral technologies to their authentication stack are preventing attacks such as this one – which rely on credentials. Instead, companies can prevent these attacks before they happen, leaving those attackers far from their user’s accounts – and far from the media spotlight.