The Growing Trend of YouTube Channels Takeover by Hackers

Here’s Why You Should Take Security Steps to Secure Your YouTube Channel

Any online service boasting a broad audience of fans is a coveted asset for cybercriminals. If compromised, it can fuel massive stratagems that run the gamut from scams to unethical advertising. A YouTube channel with numerous subscribers is an excellent example of such a resource. Hundreds of thousands of users are tuned for viral content uploaded to some of these accounts, which turns them into a goldmine of sketchy opportunities for black hats out there.

The silver lining is that the global streaming media giant is doing a great job safeguarding its digital infrastructure against hacks. Therefore, malicious actors have to think out of the box to dodge these roadblocks. The primary attack vector relies on social engineering frauds to steal YouTuber’s credentials. This unauthorized access becomes a source for further exploitation, such as the promotion of fake investment offers, delivery of intrusive ads to visitors, and even extortion.

A Growing Dark Web Economy With YouTube Hacks at Its Core

According to the recent findings of threat intelligence experts, stolen YouTube credentials are rapidly gaining traction among cybercrooks. This data is being increasingly offered for sale on hacker forums, and there appears to be considerable demand for it.

The prices depend on the subscriber count, and the trade process resembles a garden-variety auction. The minimum value of a single YouTube channel with 200,000 fans is typically around $1,000. As the bidding mechanism kicks in, those interested in buying the credentials can offer a higher price with a step of $200. The sign-in details for accounts that have more subscribers are traded at proportionally bigger values and bidding steps.

Some crooks put up batches of multiple less popular channels for sale. For instance, one of the threads on a cybercriminal forum advertised a bundle of almost 1 million active channels, starting at $1,500. Interestingly, whoever was willing to pay $2,500 could obtain the full list without further ado. In this scenario, the unscrupulous trader was trying to make money fast. By the way, cashing in before the victims file abuse reports and regain access to their accounts is a common trend in this ecosystem that explains the occasionally low cost.

In another post, a forum user offered a log of 687 active accounts. The minimum bidding price was set to $400, and the step was $100. The “blitz” offer to buy them all without contest required a $5,000 payment.

Researchers came across one more offer where the malefactor was trying to sell access details for more than 25 accounts, some of which had a subscriber count exceeding 100,000. The starting price and the bidding steps were $600 and $100, respectively. To purchase the entire log on the spot, an interested party had to cough up $2,500 in a single payment.

How do the crooks obtain YouTube channel owners’ credentials? The tactics are mostly a combo of social engineering and harmful code. Many incidents rely on malware campaigns backed by drive-by downloads that lurk on phishing sites. Hackers impersonating sponsors contact YouTubers with bogus partnership proposals and lure them into visiting such booby-trapped pages. The info-stealing component of the infection then infiltrates the victim’s device surreptitiously and captures their keystrokes as they log into their accounts.

Security mechanisms like two-factor authentication can reduce the risk considerably. However, since perpetrators don’t mention 2FA in their ads on Dark Web forums, the feature appears to be disabled in most cases.

The Latest Hoax Impersonating SpaceX YouTube Channel

Scammers follow the headlines and hardly ever miss hype trains. The SpaceX theme has been in its spotlight for quite some time. In a recent move, crooks took over three popular YouTube channels and repurposed them to broadcast a fake cryptocurrency deal supposedly endorsed by Elon Musk. Further, to instill trust in users, the content was fraudulently modified to mimic the official SpaceX channel.

This foul play took roots in early June 2020, where Criminals compromised YouTube channels called “Juice TV,” “Maxim Sakulevich,” and “Right Human.” Their subscriber count ranges between 20,000 and 230,000. As part of the exploitation, they were renamed to “SpaceX” or “SpaceX Live.”

Instead of providing their everyday materials to viewers, these hijacked channels started streaming an Elon Musk interview or the latest SpaceX conference recordings. The main catch was a jaw-dropping cryptocurrency offer that occupied the more significant part of the screen. It encouraged users to send 0.1 BTC to 20 BTC to a specified Bitcoin address and get a double return on investment instantly.

Although the offer looked too good to be true, it generated well over 100 transactions in just two days and collected roughly $150,000 worth of Bitcoin. The unsuspecting “investors” never got their original funds back, let alone that they earned nothing. The frightening thing about this story is that people can fall for a scam that showcases a famous person in a streaming video.

Again, this is a classic instance of mixing account takeover with social engineering into a highly effective stratagem. To avoid being defrauded this way, you should treat attractive cryptocurrency offers with a reasonable degree of paranoia. At the very least, google receives a Bitcoin address to check if it has been previously involved in scams.

Is Your Channel on the Safe Side?

With malefactors increasingly focusing on YouTube account hacks, users need to make sure their channels aren’t low-hanging fruit. However, tactics of criminals vary, as several simple countermeasures can stop most attackers in their tracks. Here is a summary of these best practices you should follow:

Use a strong password and consider leveraging a trusted password manager.
Turn on the Password Alert feature to be notified whenever you enter your password on a non-Google website (e.g., a phishing page that mimics YouTube).
Enable 2FA to thwart unauthorized sign-in.
Don’t disclose your credentials to anyone. YouTube will never request these details. If you receive a message asking for your password, there is no doubt that it comes from an impostor and should be ignored.
Make sure your account recovery phone number and email address are accurate.
Don’t click on suspicious links in emails, pop-ups, or websites.
Avoid downloading applications from dubious resources.
Keep the operating system and third-party software on your devices up to date.

It’s also a good idea to audit the permissions on your channel. If you allow someone else to access and manage it, specify that person’s privileges wisely. The “Manager” or “Editor” roles may not be appropriate for everyone.

Combating the Menace

If you adhere to the above checklist, your YouTube channel ownership experience should be safe and hassle-free. An important thing to consider is that hampering the dynamically escalating threat is a community effort. In case you come across a new hoax targeting YouTubers, spread the word about it on popular resources such as Google Support forums and Reddit.

Make sure you have a plan B. If you haven’t added account recovery options yet, the best time to do it is right now. This way, you can regain access to your channel before crooks get the chance to monetize it behind your back.

About the Author :

About David Balaban

david-balaban David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
See Author’s Website