Stolen YouTube Credentials Growing In Popularity On Hacker Forums
Etay Maor, CSO at cyber-intelligence firm IntSights, explained that in recent weeks his team has noticed an uptick in demand for stolen credentials for prominent accounts on the video site.
While account access can be used to spread malware and launch fraud scams against viewers, it is also used to blackmail the account owner.
Users reporting account hijacking to YouTube often complain that they were tricked into downloading malicious software on their computers.
“They pretended to be sponsors for youtube, once I tried to visit their website, a keylogger/spyware software was downloaded to my browser. They changed my password, removed my known devices, removed my recovery phone number, and e-mail within about 2 mins tops. They then tried to extort me to send them BTC or they would sell my channel” – extorted YouTube channel owner
The value of the lists offered is proportional to the subscriber count. For instance, the bidding for a channel with 200,000 subscribers starts at $1,000 with a step of $200.
One post advertised an auction a log for 990,000 YouTube active channels that started at $1,500; anyone paying $2,500 got it without contest. The seller was looking to cash in fast, like other actors, for fear of victims reporting the mischief and reclaiming access to their accounts.
A set of 687 YouTube accounts, broken down by subscriber count, was available for a starting price of $400 and a $100 step. Anyone willing to pay $5,000 would get it on the spot.
“In the past, attackers used sophisticated phishing campaigns in combination with reverse proxy toolkits like Modlishka to defeat Google’s two-step verification. However, none of the current sellers mention 2FA, which may mean these accounts did not opt in for this additional security step,” concluded Maor.
“While 2FA is not a silver bullet against cyber-criminals, it is highly recommended to opt in to this additional security step, have a properly patched computer, understand the risks and types of phishing attacks and use a recovery phone number or email.”