Several prominent YouTube channels in India have now been restored after they were taken over by hackers in a span of 24 hours to spread a Tesla scam.
The official YouTube account of news outlet Mojo Story was compromised on Sunday, 4 June, according to a tweet by its founding editor Barkha Dutt. Dutt further claimed that Mojo Story's email has also been breached.
The other YouTube account that has reportedly been compromised belongs to content creator and comedian Tanmay Bhat. Stand-up comedian Aishwarya Mohanraj and YouTuber Abdu Rozik were also reportedly hacked.
Bhat, whose YouTube channel has amassed over 4.42 million subscribers, alleged that two-factor authentication was bypassed. Additionally, Mojo Story's Barkha Dutt criticised YouTube for not acting fast enough in the wake of the incident.
- 01/03
A screenshot of Tanmay Bhat's compromised YouTube handle.
(Screenshot: YouTube)
- 02/03
A screenshot of Mojo Story's compromised YouTube handle.
(Screenshot: YouTube)
- 03/03
A screenshot of stand-up comedian Aishwarya Mohanraj's compromised YouTube handle.
(Screenshot: YouTube)
"I dont know how many times we urged @YouTube to freeze the platform so that the hackers could not alter it. But we kept being told "process of investigation has to be followed" - and now its gone," journalist Barkha Dutt had tweeted.
However, it is important to note that the YouTube accounts of Mojo Story, Tanmay Bhat, Aishwarya Mohanraj, and Abdu Rozik were restored a few days later, along with the video content, comments, and replies.
Zoom In
As seen in the screenshots above, hackers seem to have changed the usernames of targeted accounts to '@teslanewstar05', '@Tesla21392', and so on.
The profile and cover photos also appear to have been switched out for Tesla-related images.
This serves as an indication that the accounts were targeted by the same threat actor.
The two "livestreams" posted on Tanmay Bhat's hacked YouTube channel show Elon Musk talking about two models of Tesla vehicles.
All the content posted by the targetted channels seems to have been wiped.
But is the content lost for good?
"It depends whether the creators kept a back up of the videos and data. It also depends on YouTube’s policy of data retention. Some platforms keep a copy of the data while some don’t. Even when they store a copy of data, it is up to the police if the content can be retrieved or not," said Radhika Jhalani, a lawyer at Software Freedom Law Centre (SFLC).
Expand
A Pattern of YouTube Accounts Being Hacked
Given Elon Musk's online popularity, hackers have impersonated him in the past to perpetrate various types of scams. Even posing as a business account of Musk-owned Tesla isn't entirely new.
In March this year, Linus Sebastian of Linus Tech Tips fame was similarly attacked, according to a report by The Verge.
The hackers were up to the same mischief in Linus' case as well. All the videos were reportedly taken down, account details were altered, and clips of Musk talking about cryptocurrency were "live-streamed".
When asked about the intent behind targeting these YouTube channels, Jhalani said, "These seem to be popular channels hosting a variety of content. It can grab eye balls for sure and make news."
If you're thinking – where's the harm in watching Musk go on and on about crypto or Tesla cars, think again. The "live streams" being run by these hackers carry superimposed messages that aggressively nudge users to scan a QR code on the screen.
"Your life will change within minutes if you scan the QR code. That's not a joke," reads the tweet at the bottom of the "live stream", with a QR code at the top right corner. The chat section of the "live stream" also has a fake URL 'musk2x.net' pinned at the top.
Session Tokens: The Exploit?
How did hackers get unauthorised access to the YouTube channels? Is it possible to get around two-factor authentication? Yes, opined Jhalani, especially if multiple devices have been hacked.
"Think of it this way, most people use OTPs which come through SMSes for 2FA. If an SMS service, which is generally non-encrypted, gets hacked as many applications have the permissions to read your messages, then 2FA can be bypassed," she further added.
Hackers can also skip entering security credentials by getting their hands on session tokens, according to tech content creator Linus Sebastian.
"After you log in to your website and your credentials have been validated, that site will provide your web browser with a session token. This allows your browser, and by extension you, to stay logged in when you restart your browser or go to access that site again," he explained.
After investigating the attack against his own channels, Sebastian said, "Someone on our team downloaded what appeared to be a sponsorship offer from a potential partner" and launched a PDF.
This reportedly deployed the malware which allowed the hackers to copy and export browser data, including session tokens for every logged-in website.
Some Pointers To Secure Your Accounts
In 2021, the US' cyber defence agency (CISA) issued the following guidelines for social media account administrators:
Establish and maintain a social media policy
Implement credential management
Enforce multi-factor authentication (MFA)
Manage account privacy settings
Use trusted devices
Vet third-party vendors
Maintain situational awareness of cybersecurity threats
Establish an incident response plan
"Use an authenticator key and be paranoid. Know that if you are in the public eye, you are more likely to get attacked. Follow all security measures that you can think of. Consult an expert on those."Radhika Jhalani, Software Freedom Law Centre
What Can YouTube Do Going Forward?
A lot, apparently. "Platforms should invest far more than they are on user awareness and sensitisation. Teach people the basics of digital safety and hygiene. Understand that safety is also graded," Jhalani recommended.
She further suggested that safety policies should be implemented keeping in mind vulnerable groups.
Proposing solutions to tackle this specific brand of scams, Sebastian had suggested that YouTube require verification for certain suspicious actions such as changing usernames or mass deletion of videos.
In order to get more clarity, The Quint sent detailed queries via email to Google, Google India, as well as its grievance officer in India:
Why is it taking so long for YouTube to restore access even though they're verified accounts? Is this the standard procedure or was there an unusual delay for some reason?
Has YouTube identified the groups or individuals behind these attacks?
Are these hacks a result of a coordinated campaign? What is the country of origin of the said campaign?
Why are such attacks still rampant on the platform despite similar attacks having occurred in the past?
What measures have been taken to curtail such threats?
Were the YouTube videos on the compromised accounts deleted or just hidden? What is the path to retrieving the content?
Has YouTube detected any security flaws in its systems, specifically regarding its live stream feature?
What is the platform's policy to take down a live stream? Are users allowed to report them as spam/scam?
Could you shed more details about the account recovery process that has been set in place for users?
How does the recovery process differ from content creator to news organisation to average user?
Are hackers able to monetise the live streams that are hosted by the hijacked accounts?
In response to these queries, a YouTube spokesperson said, "We take account security very seriously and if a user believes their account has been compromised, they can notify our team to secure the account and regain control. We have dedicated teams that investigate if a user has reason to believe their account was compromised. We also have clear processes in place to educate users on how to secure one’s YouTube account."
(This report was updated on Wednesday, 7 June 2023, with YouTube's statement, and to reflect the fact that the hacked YouTube channels were restored.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)