Over the past few days, a massive wave of account hijacks has hit YouTube users, and especially creators in the auto-tuning and car review community, a ZDNet investigation discovered following a tip from one of their readers.
But the YouTube car community wasn't the only one targeted. Other YouTube creators also reported having their accounts hijacked last week, and especially over the weekend, with tens of complaints flooding Twitter.
COORDINATED CAMPAIGN BYPASSED 2FA
The account hacks are the result of a coordinated campaign that consisted of messages luring users to phishing sites, where hackers logged account credentials.
According to a channel owner who managed to recover their account before this article's publication and received additional information from YouTube's staff, we got some insight into how the full attack chain might have gone down.
- Hackers use phishing emails to lure victims on fake Google login pages, where they collect users' account credentials
- Hackers break into Google accounts
- Hackers re-assign popular channels to new owners
- Hackers change the channel's vanity URL, giving the original account owner and his followers the impression that their account had been deleted
ZDNet reported that hackers were capable of bypassing two-factor authentication on users' accounts. He suggested that hackers might have used Modlishka, a reverse proxy-based phishing toolkit that can also intercept 2FA SMS codes.
However, this is only hearsay, and there is no actual evidence to confirm that hackers used Modlishka specifically. There are plenty of reverse proxy-based phishing toolkits around that can do the same. The full story is at ZDNet: