Joerg Habermeier - stock.adobe.c
Google pushes back on scale of YouTube phishing threat
Millions of YouTubers may be at risk after some high-profile influencers reported their accounts were compromised in an apparent phishing attack, but the platform’s owner, Google, is not so sure
YouTube’s owner Google has pushed back against suggestions that up to 23 million user accounts on the video platform may be at risk of falling victim to a targeted phishing campaign, following a number of reports of high-profile influencers – many but not all of them active within the online car tuning and modification community – having their accounts compromised.
First reported on 23 September, the phishing campaign lured its victims to fraudulent Google login pages to harvest account credentials, enabling the attackers to gain access to and take over the targeted accounts, giving them new owners and making it look to the legitimate owner that the channel was shut down.
There are also suggestions the attack bypassed two-factor authentication (2FA), possibly using a toolkit known as Modlishka, which can intercept SMS messages sent as part of a 2FA service.
The researchers who uncovered the attack suggested that those responsible might be working from a compromised database of users.
However, YouTube has apparently so far seen no firm evidence to suggest that those accounts that were breached indicated a spike in the number of hacking attempts above and beyond what it would normally see. Nor has it felt the need to send out a security check to all 23 million allegedly vulnerable accounts.
“We have not seen evidence of an increase in hacking attempts over the weekend. We take account security very seriously and regularly notify users when we detect suspicious activity. We encourage users to enable two-factor authentication as part of Google's account Security Checkup, which decreases the risk of hacking,” said a YouTube spokesperson.
“If a user has reason to believe their account was compromised, they can notify our team to secure the account and regain control.”
Read more about phishing
- The Emotet phishing trojan-turned-botnet is back in action after a three-and-a-half month break, say threat researchers.
- A new Telefónica security service for business shows that phishing is the most-blocked threat and smaller businesses are a popular attack target in the first two months of deployment.
- Researchers at Check Point have identified a security flaw in Android-based smartphones that exposes vulnerable users to phishing attacks.
Like most social media platforms, YouTube has a dedicated team of staffers set up to handle reports of account hijacking to help the rightful owner regain control of their account.
Jonathan Knudsen, a senior security strategist at Synopsys, suggested that the focus of the attack on end-users of the YouTube platform indicated that Google was actually doing a good job at securing it.
“Any proactive security-focused organisation following secure development practices, using security testing tools such as static analysis, software composition analysis and fuzz testing, will build more robust, more secure systems and applications,” he said. “Consequently, attackers will focus on the weakest area, which is often user interactions with the system.”
“The recent phishing attacks on YouTube are an escalation of a classic scheme, in which users are lured to fake login pages, where they enter legitimate credentials,” said Knudsen. “Cyber criminals are always looking for the weakest link in the cyber security protecting valuable assets; in this case, it was users. The best proactive defence against such attacks is education. With the right knowledge, fewer users would have fallen victim to these attacks.”
Rosemary O’Neill, director of customer delivery at NuData Security, which is part of the wider Mastercard organisation, said: “So far, the ultimate goal of the attack is unknown, however it clearly disrupted the service as many account owners couldn’t access their profile.
“It is not clear whether they monetised that disruption or if the ultimate goal was simply to attack those influencers,” she said. “The fact that the victims were influencers could mean the attacker was looking for media outreach; nothing like an influencer to make your attack popular.”
“Companies like YouTube need to have better tools to protect their users to reduce the chances of an attack,” said O’Neill. “Two-factor authentication was not enough, as attackers reportedly used a tool like Modlishka to intercept SMS codes. In this case, the reliance on user credentials was the main authentication gap – whether a password, a security question or a one-time code. Those require static credentials that are deterministic; they are correct, or they are not – there is no grey area.”
Sam Curry, chief security officer at Cybereason, reiterated the generally held advice to consumers to protect themselves against such attacks.
“The best advice is to always follow up with the sender directly if a request is made to transfer money or sensitive documents to a non-routine account or person,” he said. “If it doesn’t seem right, it likely isn’t, and picking up the phone or texting a co-worker or friend can stop the hackers in their tracks.”
Curry also advised YouTubers not to open attachments or follow links from unknown senders – even if they appear to be fans, not to follow links asking for credentials from services they are subscribed to, and to install browser plugins that expand shortened links so they can see the actual web address being sent to them.