back to article YouTubers fell for shady 'sponsors' who seized, then sold, accounts

After years of complaints from YouTubers, Google has pinpointed the root cause of a series of account hijackings: software sponsorship deals that delivered malware. Google forums have for years witnessed pleas for help to regain control of stolen YouTube accounts, despite the owners using multi-factor authentication. Impacted …

  1. Natalie Gritpants Jr

    15,000 influencer accounts hijacked

    Surely that's a positive outcome?

    1. Snake Silver badge

      Re: 15,000 influencer accounts hijacked

      LOL. But oh, look!, systems that included everything from email, to encryption, to 2FA, compromised!! Who could have possibly BELIEVED this was possible, considering how "secure" we can make [anything we want to on] the web!!

      (referencing other discussion regarding email "security")

    2. Anonymous Coward
      Paris Hilton

      Re: 15,000 influencer accounts hijacked

      IMHO, influencers are clueless and those influenced are idiots.

      If their ego trips were detoured, I can't say I care.

      1. Robert Helpmann??
        Childcatcher

        Re: 15,000 influencer accounts hijacked

        Unfortunately, being famous for being famous is nothing new. I am frankly amazed that it took so long before it became such a widespread business model.

    3. Dave559 Silver badge

      Re: 15,000 influencer accounts hijacked

      Greedy parasites attacked by greedy parasites. Yes, how my heart bleeds for the poor ickle wickle vacuous so-called "influencers".

      I guess this should teach them to beware of sleekit people loudly pushing messages that any sensible person would see through as probably being too good to be true. How sad, hoist by their own petard.

  2. ComputerSays_noAbsolutelyNo Silver badge
    Paris Hilton

    What's the business model?

    To me, popular YouTuber-Accounts are like good old magazines.

    You're interested in StarWars, watch my StarWars-Channel.

    You're interested in general politics, hear me ramble.

    So, if any of this more or less topic-specific channel starts to tout something completely unrelated, i.e. Crapto, why would I fall for it?

    I mean, that's the equivalent of a machine gun company starting to advertise in Mom&Prams Weekly.

    1. Kevin Johnston
      Joke

      Re: What's the business model?

      Does your stroller not have integrated minigun pods to protect your little darlings from the nasty world? Why will you not think of the children and the greater good?

    2. Mikehhh

      Re: What's the business model?

      Videos on channels with larger audiences are more likely to be suggested to new people, so even if they hook a few people by doing it then it's probably worth it to the scammers.

  3. Jimmy2Cows Silver badge

    Most of the malware was readily available on Github

    Why is Github allowing this? I appreciate it's probably whack-a-mole, but are they even trying to not host this stuff?

    1. Kane

      Re: Most of the malware was readily available on Github

      "Why is Github allowing this? I appreciate it's probably whack-a-mole, but are they even trying to not host this stuff?"

      Think of it from an InfoSec perspective; if everyone can see the source code for the malware it opens up development opportunities for more people to be able to defend themselves (and others) from said malware. Security through obscurity means less people have eyes on the action.

      There is an argument that shielding the masses from this information offers greater protection, but the counter argument is that having more "open" channels of analysis means that threat response times can be quicker when, not if, these attacks take place.

  4. llaryllama

    not just "influencers"

    My favorite violinist Antal Zalai lost his channel and all of his videos to crypto scammers recently. I'm pretty sure no fake sponsorships were involved, just a regular phishing or cracking attack. When I searched backwards from the crypto peddlers' business names I found thousands of mid sized channels on the same boat. WTF YouTube?

    1. lglethal Silver badge
      Go

      Re: not just "influencers"

      I guess your violinist doesnt generate enough ad revenue for Google for them to consider them an "influencer" and someone "worthy" of protection/getting their account back.

      As for going after the crypto peddlers, Google doesnt go after them until they've ammassed a large enough amount of money, so that Google can then decide they were bad'uns and kick them out, and simply pocket the ad revenue rather than paying out.

      Or at least that the only explanation I can come up with, since it should be trivial to do a simple reverse search of whatever crap is being spewed from a compromised/stolen account, and ban all of it. But then maybe that's just too difficult for Google's super duper amazing algorithms...

      1. elsergiovolador Silver badge

        Re: not just "influencers"

        I guess your violinist doesnt generate enough ad revenue

        That's a bit simplistic view. Google is in control of what ads and when are showing, so it might as well be that they just don't like violinists (although I am not following what are the latest trends are in terms of who gets cancelled and if violins are still politically correct) and they don't show enough ads.

      2. Anonymous Coward
        Anonymous Coward

        Re: not just "influencers"

        I can assure you that ALL three youtube support specialists are doing their UTMOST to fight this menace!

    2. Jimmy2Cows Silver badge

      Re: WTF YouTube

      YT doesn't actually care. Income is income, whether from ads on legit channels or hijacked channels.

      Google will only really sit up and take notice when enough people jump ship because of these problems. It'd have to be enough users to seriously dent YT revenue, so short of a huge awareness campaign and mass exodus, it seems likely things will stay the same.

      1. Loyal Commenter Silver badge

        Re: WTF YouTube

        The thing more likely to make people jump ship is the recent trend on YT to show more and more ads, not only before, but in the middle of videos, and to try and tout their ad-free paid-for version.

        Along with a group of friends, since the beginning of the pandemic, we have been regularly watching bad films together on YT (there are a lot of films that are either too bad to bother with copyright, or which are out of copyright on there), using discord to chat along. It has become more and more frustrating to keep everyone in synch with the number of ads that YT is now spouting. Some films are worse than others for this.

        1. TeaLeaf

          Re: WTF YouTube

          Ghostery works well for me at suppressing the ads.

          1. Loyal Commenter Silver badge

            Re: WTF YouTube

            I'm not sure that runs so well on the embedded YT app on my Vermin Media box...

        2. HereIAmJH

          Re: WTF YouTube

          YouTube has ads?

  5. jollyboyspecial Silver badge

    Too good to be true?

    In the modern world it seems people want to be protected from being idiots. What's worrying is that they are supported in this.

    It looks like these people got phished by an offer that was too good to be true. Or to put it another way they let their greed trump their common sense (if they had any in the first place).

    Once upon a time if somebody got scammed with the pig in a poke (which is exactly what these scams are) they were told "more fool you" and that was pretty much that. These days apparently the likes of Google are supposed to protect them against their own idiocy.

    1. Anonymous Coward
      Anonymous Coward

      Re: Too good to be true?

      The bigger problem is protecting idiots from their own stupidity is a futile task, because if you come up with an idiot-proof computer system, they'll just hire a bigger idiot to use it.

    2. HereIAmJH

      Re: Too good to be true?

      The part that caught my attention is that you can apparently bypass 2FA by stealing a cookie.

      1. fxkeh

        Re: Too good to be true?

        That's how just cookie based auth works. You authenticate (with 2FA) and then a signed token is stored in a session cookie; the token will be valid for x amount of time. The next time you navigate to a different url on the same site (or make an XHR request) the cookie is sent in the request by the browser so you don't have to auth again. (Otherwise you'd have to login every time you went to a different page, or did anything that triggered a request).

        There are alternatives to cookie based token, e.g. appending the token as a &token=xxx parameter on each url, but it's generally considered worse because users can inadvertently share that url with the whole internet and expose their account that way.

        1. jtaylor

          Re: Too good to be true?

          I assumed that a browser "session" had certain immutable elements like the source and destination hosts. (I use "hosts" somewhat loosely. I know about server-side load balancing.)

          How could Joe steal a session cookie from Betty in Manchester and then use that to auth from his home in Elbonia?

          1. fxkeh

            Re: Too good to be true?

            You could store other stuff in the cookie/serverside but it tends to come with user convenience drawbacks - an IP address often doesn't stay the same over the lifespan of the token (e.g. 30 days) so you'd be forcing them to log in more; storing location only works if they don't move around too much. Genuinely persistent identifiers that could be stored to stop a cookie from being used in a different machine are a privacy problem exactly because they're persistent and get used for advertising tracking. Maybe some of those drawbacks are a worthwhile trade off for high value accounts though.

          2. Matthew Brasier

            Re: Too good to be true?

            HTTP (not HTTPS) is a stateless protocol, the server has no way of knowing that a request relates to a previous request other than if the browser sends some data (which is the cookie) to alert the server to the fact that you have communicated before. There is no reliable way for the server to see the real IP address of the client because any kind of load balancer or HTTP proxy will mean that the "source" of the HTTP connection is the LB or proxy. There is a workaround to put the source IP address in as a header, but that can be faked as easily as the cookie.

            With HTTPS it gets a bit easier for the server. HTTPS has the concept of a session (the duration for which the session keys negotiated are valid) and because only the originating server should know about the session key the server can be fairly sure that the client is the one that originally logged in. The HTTP session (unless you are using client auth) doesn't know anything about who you logged in as though, because the HTTPS session is established before you log in. Most modern HTTP servers will connect the HTTP session cookie with the HTTPS connection, which makes it a lot easier for the server to ensure the session is aligned to only one (HTTPS) connection, but this functionality can break in some scenarios (such as if you want to allow a user to log in using FORM authentication if client-cert authentication failed), or when using certain SSO providers.

            TLDR; Because plain HTTP is stateless, its easy to steal HTTP session cookies, HTTPS can sometimes make this easier because you can tie the HTTP Session cookie to an HTTPS session.

  6. steviebuk Silver badge

    Lots I suspect

    "Nor does the ad giant discuss whether or not it made any money when channel owners lost access and the crooks took over."

    Lots I suspect. Just like it does with all the scam adverts that appear, before, during or after a video. The ones for fake products or services. I've finally found the option to report these. I know it's on the mobile app and PC, not sure about TV app. Seeing so many of them, surely they have a team that could remove these instead of leaving it up to the viewer to have to constantly pissing report. Its under the "Why am I seeing this advert" option.

    Its shocking how many of these exist. Knowing they'll have paid for the time and Google makes money whether its a scam or not. I'm pretty sure Google never returns any of the money it makes from these adverts, so for them its a win win. Having looked into this before they also constantly blame AdSense for the problem, ignoring the fact they fucking own AdSense.

    The whole reporting system is a mess. I've mentioned before about the copyright strike I got hit with (now finally removed) by a bocus report. Then I spot the other day, whole channels by the traveller community threatening violence to other travellers and some of their channels just showing the fights they have. Both breaking the T&C of YouTube yet those accounts still exist. I went on a reporting spree but I bet if I check in a months time, those accounts will still exist, along with the videos and the adverts that are on them. Googles AI will seemingly ignore them while they still make lots of money from the adverts until it becomes big news and you get another ad-apocalypse.

    It seems to be the only time when Google/YouTube take action is when they themselves are indanger of lossing money when advertisers pull out of the platform.

  7. Winkypop Silver badge
    Coat

    Crypto Scam

    Isn’t that a tautology?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like