According to a report by ZDNet, there’s an ongoing wave of account hijacks going on YouTube right now, and its focal point seems to be car reviewers and automotive journalists. The list of confirmed car community channels that have been hijacked includes Troy Sowers, Built, PURE Function, Musafir, and MaxtCheckVids. These channels were taken over and look like they’ve been deleted. The creators contacted YouTube, and the platform is currently trying to resolve the problem, but the channels are still not available. Some of the creators published a relevant post on Instagram like the one below, informing their followers about the hack.
However, the hijacks were not limited to car reviewing channels, as there have been multiple channel hack reports coming from all places. The problem for the creators and the primary weapon for the hackers was the fact that they were able to somehow bypass the two-factor-authentication step. According to channel owner reports, the hackers sent them messages that lured them to phishing sites, and there they were tricked into entering their YouTube credentials. The hackers then use these credentials to log in to Google accounts and re-assign the channels to new owners. They finally seal the deal by changing the channel’s “vanity URL”, making it seem like the account and channel have been deleted.
One of the victims suggested that the hackers may have used the Modlishka phishing toolkit, which is able to intercept 2FA SMS codes. While there is no evidence that points to Modlishka with certainty, bypassing of the 2FA has taken place in some way or another, so a reverse proxy-based toolkit was definitely used. Google has decided not to comment on this, and they are the only ones who know exactly how the hackers bypassed 2FA.
Now, the hackers are selling these YouTube accounts on OGUsers, and possibly elsewhere too. As one hacker told ZDNet, these accounts will have to be sold to a new owner quickly, as YouTube is most definitely going to return them back to their original owners. When this happens, the items that are for sale will become worthless, and so will the whole effort that went into stealing the creators’ accounts. As the hacker further comments, the fact that it is a specific theme of YouTube channels that are targeted indicates that someone accessed an email list with addresses from a particular sector.
Can you report any other channels that you follow, and that "went missing" over the weekend? Share the details with us in the comments down below, or on our socials, on Facebook and Twitter.