Massive YouTube Bitcoin Hack - Currently Happening

[zeusthemoose]

Massive thanks to @Pascal... for sharing this with me

 

Summary

 Many popular YouTubers (some with tens to hundreds of thousands of subscribers) have recently been locked out of their accounts. The hackers are changing the channels name and profile picture to things related to space. Mostly SpaceX, Nasa, Elon Musk, or a combination of those. In many cases, the hackers are also deleting all the old videos from that channel.

 But here is where it gets worse. These hacks are very similar to the recent Twitter hack; not only are they taking over and basically destroying the channels, but they are also trying to scam people. All the hacked channels held live streams that ended around a day ago promising to double whatever bitcoin you sent to them. Their excuse was that they wanted to increase interest in cryptocurrency. As of earlier today, they had made over $4,000. The live streams had anywhere from a few hundred to 45 thousand viewers. Many of those views are believed to be bots though.

 Reports of this happening have been coming in for months (since before the Twitter hack) but the majority seem to have happened this week after esports commentator Rod Breslau tweeted about it. However, YouTube has been very slow to react having only disabled the accounts recently and taking weeks to return the accounts to their rightful owners.

 As of now, it appears that the accounts were hacked individually (likely through malicious emails) and not through an admin account like the Twitter hack but this has not been fully investigated yet.

 

Update (8/7/20):

 One of the scam streams reached over 100,000 viewers! At some point, the videos were even being recommended by YouTube. It has also been discovered that some of the hacked channels did have 2FA active and it was likely what was used to gain access to the accounts in the first place (sim swap). Still no word from YouTube about what they can do for the YouTubers who lost their channels but the atleast one of the creators (Jon Prosser from what was Front Page Tech) has started a new one and is currently fundraising to get help because they no longer have monetization or their Adsense account.

 

Update 2 (8/7/20 afternoon):

Front Page Tech has released a video explaining what happened to them

 

 

Quotes

Quote

As SpaceX and NASA made history last week with their first ever spaceflight together, millions flocked to YouTube to watch astronauts return to Earth.

Tens of thousands of those viewers unwittingly clicked on videos that appeared to be official SpaceX livestreams, posted by seemingly legitimate YouTube channels with hundreds of thousands of subscribers. Instead, they were met with "Bitcoin giveaway" messages urging them to send Bitcoin in order to be paid back double — a common scam tactic.

Hackers appear to have compromised several high-profile YouTube channels in the past week, changed the channel names to hot-button topics like SpaceX or Elon Musk, and promoted Bitcoin scams. The trend was pointed out Monday by esports commentator Rod Breslau.

The tactics appear similar to those employed by the hackers who compromised Twitter last month, taking over verified accounts, including Kim Kardashian's and Barack Obama's, and using them to promote Bitcoin scams.

But while the Twitter breach was the result of hackers gaining access to Twitter's internal tools and systems, it's possible that each hacked YouTube channel was taken over separately, without hackers compromising YouTube's internal tools. Nonetheless, hacked channels promoting Bitcoin scams appears to be pervasive on YouTube.

(Business Insider)

 

My thoughts

 Assuming each channel was taken over separately, I am very surprised the hackers were able to get so many of them. I am also surprised that YouTube has taken so long to deal with this. Many of the streams were up for much longer than they should have been. It is fortunate though that only $4k was stolen when compared the massive amount last month on Twitter (over 100k last time I checked). Not only are these channels going to have to get back all the deleted videos, but also the subscribers they lost because of the live streams. Hopefully they will all recover. Does anyone know if YouTube keeps the deleted videos somewhere that can be restored?

 

Sources

 imore

 Business Insider

 CoinTelegraph

Edited August 7, 2020 by zeusthemoose

[zeusthemoose]

4 minutes ago, BlueScope819 said:

Oh and by the way, what's the scam here?

They are promising to return double the amount of bitcoin you send to them. Same thing as the Twitter hack just not working as well.

[soldier_ph]

This has to stop. Twitter and YouTube have to drastically increase their security and authentication measures in order to prevent such Hacks to happen again in the future. Nasa and SpaceX are really great Space Organizations/Companies and this is really hurting their PR and believability. It will only drive even more uneducated people to create Fake News and Conspiracy Theories. This year is already bad enough, we don't need more Personal Data and Money getting stolen from Users.

Otherwise great reporting @zeusthemoose !

[ARikozuM]

And I would have gotten away with it if it weren't for those pesky kids did get away with it because Youtube's security sucks. 

[Letgomyleghoe.]

This has been happening for quite a while now. Somewhere in January-February this year a bunch of smaller channels got hacked through through a fake sponsor email and had litecoin streams going on them 24/7. A few channels I watched had this happen to them and because it wasn't fixed for over a month I thought the channels just became a litecoin ad so I unsubscribed. I check back in mid February and Brothgar's second channel uploaded a video about how he got hacked and at the time the channel was still hacked after almost 2 months. Eventually everything got sorted out but in the end all the smaller youtubers viewers were gone and they were making less than half of what they used to.

[WkdPaul]

39 minutes ago, Pascal... said:

*snip*

Not trying to victim shame here, but MFA should ALWAYS be used (I know there are ways around it), this is reminiscent of the Ring Alarm "hacks" that happened a while ago.

 

I know it's not fun to hear, but using the same password for many, or all, accounts and not using MFA is the best way to get you shit hacked. There are leaks happening every month or so, and getting the password you're using everywhere exposed is a sure way to give nefarious people access to your whole digital life.

 

So, a small PSA ;

• Use hard to crack passwords (not shit like 3Rdxzse6*, those randomized numbers are easier for brute force attack to crack, use a sentence that makes sense to you ; HeBeDroppinThings24-7 (exemple of a LTT forum password  ... please DON'T use it! ),
• Enable MFA everywhere it's available !!!! (for the LTT forum, it's OVER HERE ),
• Make sure to save your backup codes somewhere safe (you'll usually get backup codes in case your MFA becomes unavailable for some reason),
• Use password managers if you need (though, while I use LastPass, I recommend another that I also use ; KeyPass, it's offline, so less chance of another leak),
• Do not reuse passwords, yes it's easier and convenient, but even with MFA enabled, this is one of the ways people can get into your accounts,
• And for your main email account ; make it the most secure account, as much as possible! Because if they get into your email, you're done, they can reset your passwords and get into all your other accounts,
• If you're in the USA, use privacy.com, it's a way to get temporary CC numbers, so in case one of your shopping account gets hacked, the damage is reduced, for people outside of the USA, see if your CC company or your bank offer a similar service, I heard some do (in Canada, Koho offers such a service).

 

These might sound logical and obvious, but you wouldn't believe the amount of people that use super easy passwords for ALL their accounts (123456789, or WelComE!, etc... seriously, look at the data ; https://www.wtoc.com/2020/05/07/national-password-day-how-make-your-accounts-safer/ )

Edited August 6, 2020 by wkdpaul
typo

[wall03]

4 minutes ago, wkdpaul said:

4 minutes ago, wkdpaul said:

• And for your main email account ; make it the most secure account, as much as possible! Because if they get into your email, you're done, they can reset your passwords and get into all your other accounts

 

yeah Lastpass is great for that

[WkdPaul]

6 minutes ago, wall03 said:

yeah Lastpass is great for that

That's why I said people should use password managers like Keypass, it's a software with an encrypted file that is on your computer or phone, nothing online so it's one less vector of attack.

 

EDIT ; not saying LastPass and other similar services aren't secure, I'm sure these guys are a lot more aware of what type of security they have to implement and maintain than a lot of other services, but I prefer having it offline for my important stuff.

Edited August 6, 2020 by wkdpaul

[RejZoR]

Whoever falls for this (again) is an idiot and deserves to be robbed. This crap was stupid when it was going on Twitter and it's equally as stupid on Youtube...

[zeusthemoose]

23 minutes ago, wkdpaul said:

Not trying to victim shame here, but MFA should ALWAYS be used (I know there are ways around it), this is reminiscent of the Ring Alarm "hacks" that happened a while ago

That was something that a lot of the youtubers brought up. They were saying they wished that google required it. Why they didn’t turn it on themselves then? I don’t know.

 

I am all for MFA, but the downside is things like Twitter happens where advertisers are using that to target to specific people. 

[WkdPaul]

5 minutes ago, zeusthemoose said:

That was something that a lot of the youtubers brought up. They were saying they wished that google required it. Why they didn’t turn it on themselves then? I don’t know.

WTF type of mentality is that ? Sound like they're blaming Google / Youtube. People shouldn't be told to secure their account properly, there are reasons why someone might need MFA disabled, but not having it enabled and then complaining it's not enabled by default?

 

 

5 minutes ago, zeusthemoose said:

I am all for MFA, but the downside is things like Twitter happens where advertisers are using that to target to specific people. 

Not aware of that specific issue, some Twitter ads are specifically targeting people with MFA ? That seems like a security risk (identifying who has MFA enabled, this also means you can identify users that have it disabled, and an API exploit might be possible).

[SpaceGhostC2C]

Do you know what's even better than MFA? Bitcoin! It's so great that I will send you DOUBLE the amount of bitcoin that you send me within the next two hours! That's right, it's free money for you, courtesy of the financial secret they don't want you to know about! Rich people hate this post!

 

 

 

PS: I totally haven't hacked this idiot's account.

[SpaceGhostC2C]

7 minutes ago, wkdpaul said:

Not aware of that specific issue, some Twitter ads are specifically targeting people with MFA ? That seems like a security risk (identifying who has MFA enabled, this also means you can identify users that have it disabled, and an API exploit might be possible).

I don't think they are targeting based on having MFA enabled, but in order to use MFA you have to provide additional information (for example, a phone number), and they are adding that information to your ad profile, which adds further ways to cross-reference your ad profile in one platform with profiles coming from other sources.

[BlueChinchillaEatingDorito]

I like how they say "high profle YouTube channels" without mentioning any examples. 

[WkdPaul]

1 minute ago, SpaceGhostC2C said:

I don't think they are targeting based on having MFA enabled, but in order to use MFA you have to provide additional information (for example, e phone number), and they are adding that information to your ad profile, which adds further ways to cross-reference your ad profile in one platform with profiles coming from other sources.

ah ok! that makes more sense!

 

Having a phone number on the account is necessary for MFA, but the phone number itself doesn't mean MFA is enabled!

[zeusthemoose]

9 minutes ago, wkdpaul said:

Not aware of that specific issue, some Twitter ads are specifically targeting people with MFA ? That seems like a security risk (identifying who has MFA enabled, this also means you can identify users that have it disabled, and an API exploit might be possible).

Twitter was giving advertisers access to emails and phone numbers added for MFA. They claimed it was an accident and said they stopped. They are currently being fined up to $250m for it.

 

5 minutes ago, BlueChinchillaEatingDorito said:

I like how they say "high profle YouTube channels" without mentioning any examples. 

I would have put channel names but I didn’t see any in the article and since the names and profile pics were changed, i couldn’t find them on YouTube. I believe they listed some of the creators names but not channels in the article.

[BlueChinchillaEatingDorito]

6 minutes ago, zeusthemoose said:

I would have put channel names but I didn’t see any in the article and since the names and profile pics were changed, i couldn’t find them on YouTube. I believe they listed some of the creators names but not channels in the article.

Just looked again and saw "Front Page Tech" as one of the victims. Haven't heard of that one. And Business Insider mentioned something about a Croatian gaming channel? Again, no clue. 

[DeScruff]

Okay couple of obvious question needs to be asked...

1. Is this a copycat of the Twitter hack
2. Who would fall for this after hearing about the twitter hack. - That shiz has been in the news a LOT (I mean my local newspaper has had an article about it at least once a day every single day for the past week.

[zeusthemoose]

9 minutes ago, DeScruff said:

Is this a copycat of the Twitter hack

Same idea but this has been going on since before the twitter hack 

 

10 minutes ago, DeScruff said:

1. Who would fall for this after hearing about the twitter hack. - That shiz has been in the news a LOT (I mean my local newspaper has had an article about it at least once a day every single day for the past week.

Luckily not many. It’s been happening for a while and they’ve only made around 4K usd.

[cj09beira]

this to me sounds more like a continuation of the twitter attack, and seems to be made to reduce trust in the internet, and generally create chaos.

probably china backed

[Guest willies leg]

Send me bitcoinz and I will send youz double!

Bitcoin account #e89398j83jdfn38dhr.org.bat.sys

Do it now before it's too late!

 

 

[akio123008]

1 hour ago, wkdpaul said:

Having a phone number on the account is necessary for MFA, but the phone number itself doesn't mean MFA is enabled!

Not sure about YouTube, but MFA can work offline too (eg Google authenitcator). That's actually considered more secure than text message based systems.

[Shreyas1]

Hmm I saw something like this a few weeks ago on youtube. No idea it was still going on

57 minutes ago, cj09beira said:

this to me sounds more like a continuation of the twitter attack, and seems to be made to reduce trust in the internet, and generally create chaos.

probably china backed

Wasn't that attack done by a 17 year old in florida?

[soldier_ph]

2 minutes ago, Shreyas1 said:

Wasn't that attack done by a 17 year old in florida?

The Twitter hack was led by the 17 year old from florida, yes.

[Bombastinator]

7 hours ago, wkdpaul said:

Not trying to victim shame here, but MFA should ALWAYS be used (I know there are ways around it), this is reminiscent of the Ring Alarm "hacks" that happened a while ago.

 

I know it's not fun to hear, but using the same password for many, or all, accounts and not using MFA is the best way to get you shit hacked. There are leaks happening every month or so, and getting the password you're using everywhere exposed is a sure way to give nefarious people access to your whole digital life.

 

So, a small PSA ;

• Use hard to crack passwords (not shit like 3Rdxzse6*, those randomized numbers are easier for brute force attack to crack, use a sentence that makes sense to you ; HeBeDroppinThings24-7 (exemple of a LTT forum password  ... please DON'T use it! ),
• Enable MFA everywhere it's available !!!! (for the LTT forum, it's OVER HERE ),
• Make sure to save your backup codes somewhere safe (you'll usually get backup codes in case your MFA becomes unavailable for some reason),
• Use password managers if you need (though, while I use LastPass, I recommend another that I also use ; KeyPass, it's offline, so less chance of another leak),
• Do not reuse passwords, yes it's easier and convenient, but even with MFA enabled, this is one of the ways people can get into your accounts,
• And for your main email account ; make it the most secure account, as much as possible! Because if they get into your email, you're done, they can reset your passwords and get into all your other accounts,
• If you're in the USA, use privacy.com, it's a way to get temporary CC numbers, so in case one of your shopping account gets hacked, the damage is reduced, for people outside of the USA, see if your CC company or your bank offer a similar service, I heard some do (in Canada, Koho offers such a service).

 

These might sound logical and obvious, but you wouldn't believe the amount of people that use super easy passwords for ALL their accounts (123456789, or WelComE!, etc... seriously, look at the data ; https://www.wtoc.com/2020/05/07/national-password-day-how-make-your-accounts-safer/ )

What does the Museum of Fine Arts have to do with this?