SecureMac, Inc.

Checklist 194: YouTube Hijacking Bitcoin Blues with Stephen Warwick

August 14, 2020

This week, The Checklist takes you inside yet another high-profile Bitcoin scam, this time affecting YouTube. We’ll talk about what happened, and then discuss the technical details of the compromise.

Checklist 194: YouTube Hijacking Bitcoin Blues with Stephen Warwick

This week, The Checklist takes you inside yet another high-profile Bitcoin scam, this time affecting YouTube. We’ll talk about what happened, and then discuss the technical details of the compromise.

Behind the scenes of the YouTube hack

Over the past several weeks, multiple high-profile YouTube channels have been taken over by bad guys and used to scam bitcoin from unsuspecting viewers.

Several well-known YouTube creators fell victim to the attack, including Jon Prosser of the Apple-focused FrontPageTech channel; Craig Groshek of the popular horror-themed channel Chilling Tales for Dark Nights; Jordan (PapaFearRaiser) Antle, and Aamir of itsAamir. Once they’d taken over the accounts, the hackers rebranded the channels’ front pages, made most of the original video content private, and started a scam live stream in an attempt to convince viewers to send them bitcoin.

Stephen Warwick has researched the incident extensively, and has spoken to some of the YouTube content creators who were affected by it. He wrote a recent article for iMore detailing the compromise, and joined us on The Checklist to tell us more.

The big question on everyone’s mind has been how, exactly, this could have happened. Warwick says that after some initial investigation, it started to look more and more as though there had been some sort of malware-based attack:

SW: When it all started, Jon Prosser thought his two-factor authentication had been bypassed, and that was how his channel had been compromised. A lot of people were saying, “Oh, this is a SIM swapping attack; this is the problem with 2FA and SMS”. 

So imagine my surprise when the first YouTuber I spoke to told me, “Yeah, I got this sponsorship email; they asked me to plug some software, so I downloaded the software and all of a sudden I got an error message and that’s when I knew something was wrong”. And the other two told really similar stories about how they’d been contacted about possible sponsorship deals. This, by the way, is very common for YouTubers; they get these sorts of emails all the time — both real and fake — from companies who want them to promote their software, or their hardware, or accessories, on their channels. They’ll pay to have that exposure.

All three of these YouTubers got emails referring to real companies, real software, but obviously the person sending out the messages was a scammer. Both Jordan and Aamir spoke to the guys over email — and Aamir actually got in touch over WhatsApp as well — and they got the software download link, but when they tried to open the file (I believe it was a WinRAR file), all they got was an error message. Jordan said that as soon as he saw the error message, he knew something was wrong — and within less than an hour his account had been totally hijacked. With Aamir, it took around a day before he realized something was happening, but there’s a good chance that it started earlier than that. 

Craig Groshek from Chilling Tales was also in touch with the bad guys over email, but when they sent him the download link he thought it seemed suspicious, so he didn’t click on it or download the software. But he said he did notice a screenshot on one of the emails, and wondered if that could have been enough to execute the malware. Now, this is possible — it’s called a drive-by attack — so in Craig’s case, he might not have needed to read the email in order for the malware to infect his computer.

It’s still unclear who was behind the incident, says Warwick, but he notes that the nature and execution of the attack may offer some clues:

SW: I think the only thing you could say is that given the similar modus operandi — the way the software email was used as bait; the way the channels were hijacked; the names of the channels and the videos that were displayed — it feels like it would be the same group of people. It also seems like a pretty sophisticated operation: the way they were so easily able to take control of a channel, and change the name, and privatize all of the videos, and remove all the photos, and change the bio, and start up a live stream, in Jordan’s case all in less than 60 minutes. That’s definitely a slick operation! I’d be surprised if it was just one or two people. But at this stage, I certainly don’t think there’s any way of knowing who might be responsible. And no one has taken responsibility for it yet, as far as I can tell.

In terms of evaluating the fallout from the attack, we know that both content creators and viewers have been affected. And while it’s difficult to say exactly how successful the hackers’ scheme was, a report from one of the affected channels indicates that the total financial loss could be substantial: 

SW: Jon Prosser said that the live stream on his channel had earned $4,000 in bitcoin, meaning cryptocurrency that was sent to that Bitcoin address — and obviously that’s just one channel, there were lots of other channels that were compromised. So if you multiply that across all the channels that were compromised, you could be potentially looking at tens of thousands of dollars. And so the victims of this are not just the YouTube creators who have lost their channels or ad revenue. There are also real subscriber victims who saw these videos on channels that they follow and thought “This might be a chance for me to make some extra money”, and gave actual bitcoin away to people — money that, I assume, we’ll never see again.

Checklist listeners may recall another account takeover and Bitcoin scam incident that just recently affected Twitter. But while Warwick says that the two attacks clearly have some things in common, he notes that there is one clear difference as well.

SW: There’s definitely a lot of similarities between the two incidents. Twitter and YouTube are both really big platforms with extensive reach, and the accounts that were compromised were really high profile. Another big key similarly is the Bitcoin scam: On Twitter the hackers said “Hey, send us bitcoin and we’ll double your bitcoin; we’ll send you more bitcoin back”, and it was exactly the same on YouTube: “Here’s a Bitcoin address, send us bitcoin, the more you send us, the more your return”.

But the big difference was the response. Twitter, within just a few hours of the accounts being compromised, had disabled just about every verified account on the platform and were basically like “we’re just going to stop tweeting until we figure out what’s going on”. Whereas with YouTube, it was just one huge debacle for all of the creators involved, in terms of trying to establish what had happened, getting the live streams taken down, getting access to accounts restored, and cleaning up the mess afterwards.

As Warwick says, YouTube’s response to the cyberattack was, to put it mildly, less than stellar. In particular, the creators who fell victim to the attack found themselves unable to get help from YouTube support — even after they reached out and told YouTube what was happening.

SW: All of the guys I spoke to ended up with community violation strikes on their channels for these live streams, even though — obviously — it wasn’t them.

They all got this strike, which comes with a 7-day upload ban: You can’t post videos during that time. After about 4 days, Jordan tried to appeal his strike, and YouTube just automatically dismissed his appeal — and they also reset the 7-day ban so he had to wait a total of 11 days, which was just crazy to me. I know he was really upset about that. It wasn’t until about two days ago that he was able to upload again.

Unfortunately, it seems that YouTube’s lackluster mitigation efforts are still ongoing: As of the recording of this podcast, some of the affected content creators are still having issues with their channels. And in one especially bemusing case, YouTube actually emailed Craig Groshek — after he had already regained control of his compromised account — to thank him for reaching out…and also to inform him that, as a safety precaution, his AdSense account had been frozen and his videos and live streams would be hidden in the platform’s search and discovery features.

YouTube’s response to the incident may strike the casual observer as surprisingly inept, and raises questions about whether or not the platform actually knows how to handle situations like this. We asked Warwick if he thought this was a fair assessment, or if we were being unnecessarily harsh:

SW: I don’t think it’s harsh at all. Certainly you can give some leeway; you can understand how this is not a “regular day” at YouTube; how they might have, like Twitter, maybe struggled to get to grips with what was going on initially. 

But some of the stuff they’ve done since then has just seemed so…negligent.  

All the creators were frustrated with the pace at which they thought YouTube was dealing with the crisis. Take Aamir, for example, who reached out to YouTube for help. Now what they do, if your channel is compromised, is they give you a link to a form you can fill in to say what’s happened, and then they’ll pass your information on to the security team and try to get things sorted out. But the link is specially generated; it’s a link that only you can use, it’s not like a form you can just find on the Internet. So they said to Aamir: “OK, you’ve got 72 hours to fill out this form” — but they didn’t provide a link to the form! So he was just in the dark for 3 days. 

Then there’s the community violation strikes. If a creator says that their channel has been compromised, and you’ve given them a strike and prevented them from uploading because of content that hackers have put on their channel, well, that seems like something an algorithm would do, not a person. But then for YouTube to automatically reject the appeal from the creator — who they must know is currently engaging with them to say “My channel has been compromised, please will you help me; and also I’ve got this strike, please could you help me get it removed” — for that appeal to just get automatically rejected? It seems crazy.

There’s also the fact that these scam live streams were being promoted on people’s homepages. I went to the YouTube app and like the first video I saw was a promoted Bitcoin live stream — which just seems absurd to me.

So yes, while you can understand how at the beginning, it would be hard to react to that sort of thing in the moment, you’ve got to ask the question of why YouTube didn’t make a better job of this. Especially when, as in Craig’s case, you have YouTube finally turning up and disabling his channel when there’s no longer any clear and present danger. 

So no, I don’t think it’s harsh at all. I think YouTube really dropped the ball with this. And all of the YouTubers were of one voice in saying that they really feel let down by YouTube.

Hopefully, Groshek and others who were impacted by the attack (and YouTube’s response to it) will soon be able to put this unpleasantness behind them. But while the worst effects of the incident should soon be in the past, Warwick thinks that the YouTube security breach leaves us with some important takeaways, both for everyday computer users, and also for content creators who work with YouTube.

SW: One big takeaway is that no one is safe. These creators are all tech savvy guys, running their own YouTube channels, who have still fallen for these emails. Literally just a few minutes ago I got a fake email — supposedly “from PayPal” — that said that my account had been frozen. But you do have to look at that email, because what if it is actually from PayPal? And it’s the same with these creators: These are not insignificant amounts of money being offered to them to plug this software. So I think it just goes to show that no matter how careful you are, in the end, anyone can fall victim to this sort of thing. 

And probably the biggest takeaway is that, on the whole, these YouTube creators really, really feel let down by YouTube: They feel like YouTube doesn’t care about them, essentially. One of them said something like, “Oh, YouTube doesn’t care unless you’re a really major channel; or if you’re part of a multi-channel network and you’ve got someone who can mediate between you and YouTube. But otherwise, you don’t really have any hope of getting help when you need it”. And I think that if YouTube doesn’t fix this, it risks losing some of its best creators. I know Craig, for example, explicitly said his faith in YouTube has been so shaken over the past few days and weeks that he plans to leave within the next year. I would imagine that others will follow suit if they think that there’s another place they can go share their content where there will be better support, and where they will be taken care of. I think there’s every chance that more will jump ship in future.

The Checklist would like to thank Stephen Warwick for taking the time to speak with us. If you’d like to learn more about Stephen and his work, please follow him on Twitter.

Postmortem: Technical analysis of the YouTube hack

While there are still lots of unanswered questions about the YouTube incident, some of the evidence and firsthand reports can help us make some educated guesses about what went down.

At this point, it’s probably safe to say that the hack didn’t have anything to do with SIM swapping or with 2FA. A simpler explanation would be that it was the result of a targeted Trojan Horse malware attack. 

Because this attack was aimed at a very specific group of targets (namely, YouTube content creators), the bad guys would have known that they didn’t have to worry about 2FA at all, since all of their victims would be logged in and working on their home computers. If they could hack those systems directly, then they would be able to execute the rest of their plan without raising red flags at YouTube, since all of their account change requests would be coming from a previously trusted system.

For this reason, it seems probable that the hackers used social engineering to trick their targets into downloading and running malware on their computers, at which point they were able to gain remote access to the systems and begin taking over the YouTube accounts. 

The underscores the importance of staying vigilant — and of never clicking on links or downloading software from unknown senders (or even ones you’ve been in touch over email, unless you trust them completely).

However, as you’ll recall, one of the victims of the YouTube hack said that he hadn’t clicked on any link, or downloaded any software, and that the malware had nevertheless executed on his system — all without any interaction on his part. So how can this be explained?

It’s difficult to say without knowing a bit more about his situation — and of course, there’s always the possibility that he simply did click on the link and either doesn’t 

remember doing it, or isn’t comfortable saying so publicly. But there is also another possibility, one which Stephen Warwick already alluded to. Drive-by downloads can occur when an operating system has an unpatched vulnerability (such vulnerabilities occur on both Windows and macOS). If this individual was running an older version of his OS, and hadn’t run his security updates for a while, that could have left him open to a malware infection that didn’t require any interaction on his part.

This is, of course, why we always recommend that you keep on top of your updates, and that you enable automatic updates for your apps and OSes. It’s also why we recommend using a regularly updated anti-malware tool on your computer, which can help to prevent attacks like this from happening.

As for YouTube’s response, it just goes to show that the average user is often on their own, and for this reason needs to take responsibility for their digital security and privacy — because in many cases, no one else will! 

We won’t leave you on your own though, which is why we invite you to send us your security questions for us to answer either by email or on a future edition of The Checklist. It’s also why we make every past episode of the podcast available in our archives (along with full show notes), so you can continue to learn how to keep yourself secure while you’re waiting for next week’s show!

Get the latest security news and deals