In recent months, YouTube channel piracy has exploded. Most often, hackers seek to take over popular channels to turn them into channels for the promotion of cryptocurrencies. Users are then prompted to invest in Bitcoin or another digital currency through a fraudulent venue. Most of the time, all it takes is an email for the hackers to get control. Explanations.
You may have heard of the misadventures of Michou, a French Youtuber with 7 million subscribers. To his great surprise, he noticed on April 11, 2022 that his channel was deleted by the platform for promoting cryptocurrencies and promising dubious returns on investments.
Of course, it was a hack and the videographer quickly regained enjoyment of his channel. Unfortunately, the Youtubeur is not the only one to have been the victim of this kind of scam. For several months now, Youtubers and steamers (whether extremely popular or more modest) have been regularly targeted by hackers and it is not uncommon to find hundreds of stolen accounts for sale on the Dark Web. The objective remains the same each time: to capture passwords to access a videographer’s YouTube account, change the name and banners and take advantage of follower numbers to tout fake crypto investments.
Also read: Bitcoin – no, Elon Musk is not offering you money, it’s another scam
A request for sponso content and an email is enough
Regarding the operating mode, it is also very simple: the hackers pretend to be a brand looking to collaborate with a Youtuber/streamer to make sponsored content. Generally, these are Android or iOS applications. After a few exchanges by email, the videographer receives a PDF file which contains a link to download the application in question. Obviously, this URL houses a malware capable of recovering the passwords and identifiers stored in the victim’s browser.
Marc Nebout, computer security researcher on behalf of Sekoia, analyzed certain URLs sent to affected Youtubers for our colleagues on the site Numerama. He explains in particular that the two sites are registered under a PW (Professional Web) domain name and that the download link is actually hosted on Discord, the victim only seeing a copy of the page on the screen.
Once the download is complete, the videographer receives a ZIP file accessible only through a password. A password obviously given by the hacker in the PDF file. This is where the malware hides. Thanks to this protection, malware avoids detection by web monitoring tools. To guard against this kind of attack, the expert advises to systematically use two-factor authentication. But it’s far from enough, since some hackers have already managed to bypass double authentication to take control of YouTube channels.
