How malware started a Bitcoin hack that YouTube just can’t keep up with

by

in

We caught up with 3 creators who’s stations were crippled during a YouTube hack.

If you’ve been keeping up with tech news this week, you’ve probably heard about, or seen first-hand, how many YouTube stations have succumbed to a widespread cyberattack. Over the course of the previous week or so, many stations have had their security compromised by people, who’ve taken to broadcasting bogus live streams advertisements Bitcoin scams. In various ways, the attack echoes a recent violation on Twitter which generated thousands of dollars in scammed Bitcoin following a Twitter worker was paid to give hackers access.

Whilst the details of the hacks themselves vary 1 core motif remains. All of them feel disappointed by YouTube.

Yet the YouTube saga is very different in the current Twitter breach in a number of ways, most significantly in YouTube’s seemingly lax response to the problem. We caught up with three major YouTube creators to learn exactly what happened to their stations, and everything happened when they moved to YouTube to get support. Whilst the details of the hacks themselves vary 1 core motif remains. All of them feel disappointed by YouTube.

I talked with Craig Groshek, director/owner of all Chilling Entertainment, and the secretary of Chilling Tales for Dark Nights, a sound horror entertainment station of over 1,500 movies and 340k subscribers, about what happened.

Not merely was Craig a victim of this hack, but he’s also been outspoken about Twitter in trying to seek help for lots of the other creators who’ve been trapped in the scandal. Two such stations are’itsAamir’, and’PapaFearRaiser’. Between the two of them, they’ve nearly two million subscribers. Like Groshek, Aamir, and Jordan (PapaFearRaiser) Antle both had their stations endangered, and they also kindly consented to share their tales.

What happened?

Aamir, Antle, and Groshek discovered their YouTube accounts were compromised over the previous couple of weeks’ duration. All 3 stations were discovered to be broadcasting live Bitcoin scam movies inviting users to ship in Bitcoin into a BTC address together with the promise the money would be doubled. The movies looked like the. All three also discovered that many, though not all their YouTube videos were made confidential, and their stations were rebranded. It was common across each the hacks we have observed on YouTube.

“My channel was compromised on July 29, 2020, at around 4 PM CT,” states Groshek. “Hijackers totally bypassed 2FA and did not change my passwords, or attempt to redirect my AdSense. Rather, they set all my videos to private except for three, and put up Bitcoin scams live, and changed my name to Tesla, as well as my logo. They removed all my playlists and channel connections, and emptied my channel description.”

Many were quick to cry SIM swapping and some sort of 2FA skip since a number of those hacks unfolded. On the other hand, the tales of three of our creators here show a far more mode of performance. From the run-up for their stations being endangered, Aamir, Antle, along with also Groshek all received mails from companies, purportedly supplying them sponsorship deals to plug in software on their own channels.

“Two weeks ago, I got a sponsor email, where I was told to advertise”Resolve 16″ video editor on my channel,” explains Aamir. Turns out, the email was bogus. After speaking over email, after which WhatsApp, Aamir has been given a link. Lured from the seemingly actual performance, Aamir attempted to run the software on his PC, just to be met with an error message, then nothing. Now, he knew anything was incorrect.

Antle (PapaFearRaiser) tells a similar story:

I essentially received what appeared like a”professional” business email. This was somebody saying that they represented a business named Magix Studios and we are offering me a firm opportunity to advertise their merchandise. Once I agreed that they sent me within the item link to download (which I presumed would be secure as I’ve done this sort of thing earlier and it was 100% legit) and after I downloaded the WinRAR file and opened it up, nothing else had happened.

Like Aamir, Antle knew something was not right about the software he had just clicked on. Within 60 minutes, his whole YouTube station was endangered.

Jordan received a frightful chain of mails saying that the recovery phone was altered for his station, then to say 2FA was switched off, then back again, then his password was changed and a new apparatus had logged . A code has been used to sign into the station, and then another new apparatus awake came . Eventually , he got an email to say a video titled’Coinbase Live Conference: Coinbase Earn Recap 07/29/20 was now live on his channel. All within the space of one hour.

Like Groshek and Aamir, all of Antle’s videos were made private, and the channel was rebranded as Coinbase Live.

Definitely malware

“Definitely malware”. I caught up with Rich Mogull, Security Analyst for Securosis, and CISO for DisruptOps to dissect these stories. “WinRAR documents are among the most frequent resources” he continues, explaining how hackers could use malware to create connections from a trusted computer to modify password and security settings (including MFA or 2FA) to take control of an account. When you switch off 2FA on Google, you don’t get a 2FA prompt to confirm the change, because you’ve already logged in as a trusted user on a trusted device or browser.

Further suggesting malware, not SIM swapping, was to blame, one of the first messages Antle received was to say his 2FA had been switched off, not that it had been used to sign in to a different device or browser. The stories don’t preclude some kind of 2FA, SIM swapping attack (and there are plenty of other compromised creators who might have fallen foul of this), but they do seem to suggest that in these two cases, a malware attack was the primary cause. Windows Defender told Aamir after the fact that the program he had downloaded seemed suspicious, but by then it was too late.

Windows Defender told Aamir after the fact that the program he had downloaded seemed suspicious, but by then it was too late.

Groshek’s story is a bit different. Like Aamir and Antle, he got a suspicious email regarding a software sponsorship deal, but after making further inquiries and receiving a software download link, decided not to click on it. He did however notice a screenshot attached to the email. Mogull says this could indicate a “drive-by” malware attack, whereby malware could’ve been used even without Groshek clicking on the software download link. Mogull further notes that sometimes in the case of a ‘drive-by’, you don’t even have to read the email.

YouTubers are no strangers to getting sponsorship offers by emails, and Antle tells me he’s received them before, both real and fake, regarding possible deals for sponsors. The faked emails are a common thread in every single story here, and even though Groshek didn’t click on his, it seems likely that getting the follow-up email in the first place might have been enough. There is certainly a chance that the malware, in the course of extracting data from victim’s computers could’ve also picked up phone numbers for a SIM swap, and 2FA by way of SMS remains a pretty shaky way to shore up any online account. But malware seems to have been the prime method used to compromise all three channels of the creators we spoke with.

Dropping the ball

If the way these accounts seem to have been compromised wasn’t harrowing enough, YouTube’s response was arguably worse.

Aamir tweeted YouTube the night he realized he’d been hacked, and received a DM from TeamYouTube. As with other creators, he was asked to fill out a special form, after which they said someone from the Creator Support Hacking Team would get in touch via email.

If the way these accounts seem to have been compromised wasn’t harrowing enough, YouTube’s response was arguably worse.

From Aamir’s understanding, YouTube has to generate the form and send a hacked creator a special link, after which they have 72 hours to fill it in, only the message that said”We’ve granted you access to this type” contained no such link. As of Thursday, August 6, Aamir had been waiting three days for YouTube to get in touch, after which YouTube simply told him that”the first procedure to confirm an account is murdered could take a few weeks” and that they would be in touch. At the time of writing, Aamir’s channel is still totally compromised. He is still waiting for a response, his channel videos are all still private, and the channels name is still branded ‘Ethereum Foundation [LIVE]’.

Antle tells a similar story. “YouTube was very painful,” he says. “They gave deadbeat responses and I was left in the dark for the vast majority of the 4 days. Their Twitter staff made me feel like my situation was not serious when it was and didn’t help at all. They really didn’t make me feel as though they’d my security in mind.”

Thankfully for Antle, someone from YouTube did in fact get back in touch, and his channel has mostly been restored. But he still can’t publish videos yet, more on that later…

Groshek too got his channel back, but not without a fight. He told me how YouTube provides”little without tools to explain how to contact them and get this resolved online”, with no mention of Twitter accounts like @TeamYouTube or Google Support forums. “They do not inform you that TeamYouTube are middlemen with no authority”, he says,”or these hacks and hijackings have been going on for several many a long time.”

Groshek says that his faith in YouTube is so shaken that he plans to leave the platform within the next year.

Groshek says it took a week before anyone from YouTube Creator Support reached out via email, possibly after he posted on Google’s Support forums. You can imagine his surprise when he was told that they had no connection with @TeamYouTube and that he would have to provide all of the information to a second department again. Not only that, but neither department could handle the problem directly, and would have to forward the information on to their hijacking team. Groshek described his experience as “abysmal”, and that YouTube’s handling of the crisis had done more damage to him and the other channels than the hackers. He continues:

“Regardless of if station operators”fell for” sophisticated phishing attacks, respectively, YouTube should recognize they’re a main target for these types of strikes, and execute stronger means of protection to avoid this from occurring … They themselves admit it’s happening so often they can not keep up.

Groshek says that his faith in YouTube is so shaken that he plans to leave the platform within the next year.

But there is more

It is not just YouTube’s direct interaction with the creators that’s suspicious. Several times this week, I along with other YouTube users’ve observed bogus Bitcoin reside streams pushed into our YouTube homepages as videos. You could not make up this.

YouTube is recommending the stream to me. pic.twitter.com/7baqhOrKAo

— Rene Ritchie (@reneritchie) August 6, 2020

The wake for all the creators, especially Aamir (who still doesn’t have his station back) is broad. Creators have lost subscribers as a consequence of the hacks, 1,200 to get Groshek, and over 10,000 to get Antle. Not to mention the reduction in advertising revenue whilst their stations were jeopardized, either from videos that were hidden and out of not being able to upload.

To add insult to injury Antle and Groshek received Community Violation strikes on their stations due to this Bitcoin scam flows.

To add insult to injury Antle and Groshek received Community Violation strikes on their stations due to this Bitcoin scam flows. Despite presumably being attentive to the hack, YouTube refused the charm of both. At a Tweet, Antle said:

Hey @ytcreators I literally appealed this attack and like I figured, it got refused. Can you please get some staff to assist me? This isn’t fair. For getting hacked, I’m being punished? pic.twitter.com/AQSlc2CIOu

— PapaFear VA 🎙️ (@TheFearRaiser) August 7, 2020

To add insult to the insult, YouTube then reset the upload prohibit punishment on Antle’s channel because he had appealed the judgment. He appealed with just four times of this ban left, but he has to wait a further seven days before he can upload some movies to his main station, the first of which is a warning to his subscribers and the community regarding his expertise.

Like Antle, Groshek was not able to place any movies on his Chilling Tales station until yesterday, August 7. The way to go, YouTube.

Aamir, Antle, and Groshek are not the sole creators affected by this. Especially, Apple leaker Jon Prosser needed his YouTube station FrontPageTech compromised. To stop any additional damage, the FPT station was removed from YouTube, three days afterwards ; they’ve heard nothing whatsoever.

To recap

The 3 creators we talked to are just this iceberg’s tip. As we mentioned earlier, Groshek in particular has vocally criticized YouTube in its own handling of dozens of stations who’ve been hacked in recent days, showing that lots of different creators have been affected.

Add @AdamDuffArt along with @jon_prosser into the list of those hacked by Bitcoin crawlers this week. @ctfdn_official, @TheFearRaiser, @AlexHalford, @RecDTRH, @eltito_delfifa, @aamiristhis, & @KhujLeeFamily. How many more need to drop before you do a thing to stop this, @TeamYouTube? pic.twitter.com/GJY4rTj6ip

— Chilling Tales for Dark Nights (@ctfdn_official) August 6, 2020

Given the nature of this hacks (that the Bitcoin live streams, privatizing movies ( changing channel titles ) it appears highly likely that many of these attacks come from the same source. We talked to seem to have been subjected to malware through the promise of software sponsorship deals as mentioned. Even though only two of the three creators downloaded files, the likelihood of a’drive-by’ attack through the Groshek acquired appears to suggest that malware, rather than SIM swapping may have been the mode of attack.

It is not possible to say what happened in the many different cases regarding those stations together with whom we haven’t talked to, and there’s all likelihood that many different methods, or perhaps a combination of certain exploits have been used to gain access to such accounts.

The 3 creators we talked to are just this iceberg’s tip.

What does not seem to be in any doubt, however, is how badly YouTube appears to get handled to. For others and them, YouTube is their source of income and livelihood. However, when they moved to YouTube to get inferior help or perhaps no communication, neighborhood offenses are struck for by station, and refused appeals against those strikes have left a sour taste. To get Groshek, it was enough to convince him it was time to depart from the platform, others may be well convinced by it.

In the time of writing, Google had not responded to our request for comment on this story.

Article Source and Credit androidcentral.com https://www.androidcentral.com/how-malware-started-bitcoin-hack-youtube-just-cant-keep Buy Tickets for every event – Sports, Concerts, Festivals and more buytickets.com

Discover more from Teslas Only

Subscribe now to keep reading and get access to the full archive.

Continue reading