Linus Tech Tips is one of the most popular YouTube tech channels. So, the news that got hacked wasn’t something that could go unnoticed. For a short period, three channels of Linus Media Group were under the attackers’ umbrella. LTT, Techquickie, and Techlinked were renamed to Tesla and streamed fraudulent crypto content. Elon Musk was the host, but it wasn’t under his permission, of course. The attackers used his name and Tesla’s to make their fraud more appealing to the unsuspected users. With more than 20 million users combined database, a famous brand, and an entrepreneur, the scam could be quite a success.
All of these went live until YouTube and Linus himself took action. Being a successful channel is always a great advantage. Other channels or even ordinary users never managed to regain their accounts; if they did, they had a hard time. And it was time-consuming. The fact that Linus managed to take back his channel was welcoming news but proved that things for the popular platform should change. Sometimes might change for the worst, but most of the time, it changes for the best. And the second option is what we need.
What Linus stated
The Canadian Youtuber, shortly after claiming his channels back, posted a related video. We should point out that YouTube suspended the Linus Tech Tips channel because it was reported for violating community guidelines under the attack. The other two channels continued streaming the fraudulent content until they were claimed back from their legitimate owner. According to Linus Sebastian, his channels were breached by a typical scam, which also affected many YouTube channels.
A simple e-mail that seemed legit was received (it was presented like a business offer which is typical for such popular channels). After some e-mail exchanges, the attackers attached a malicious file that appeared to be an ordinary .pdf. Unfortunately, one member of his staff carelessly clicked on the file, which seemed corrupted, and the rest was history. Their antimalware protection didn’t report anything back, but the damage was done. After a while, his lifetime work was under the hackers’ ownership. Two-factor authentication and all their protective measurements weren’t enough. This happened because the malicious file targeted the session token, cookies, passwords, etc., that were locally or browser stored. Until figuring out what had happened, hackers went online.
After a long night and day, with the YouTube team and community support, LMG claimed back his channels. He thanked the YouTube team and his audience for their love and support. He also took the blame for his member’s actions because it wasn’t entirely his fault. Being a successful channel means that you receive a vast amount of e-mails. So, it is easy to fall for a scam if you are not careful enough.
Moreover, it shows no one is 100% safe, and secondly, training is essential. It also revealed that YouTube should take action in order not this kind of incident to occur in the future. Linus himself offered some suggestions that might be handy. So, we hope for the best.
The malicious file
According to The PC Security Channel, the file responsible for the breach was a redline infostealer. This is a proprietary malicious file that is sold in fraud markets. It is usually attached as an ordinary .pdf file. If it is sent by e-mail, we should check the address to be legit. But this might be difficult, especially for big companies, which receive tons of e-mails. Third-party vendors might handle many companies’ partnerships, so it is not unusual to receive a legit e-mail that isn’t from the actual company’s address. That makes things even more difficult. Moreover, the file is usually too large, making it even harder to scan by antimalware or online scanners like VirusTotal.
The hackers fill the file with zeros to enlarge it. If you delete the useless zeros, then the file is way less. The malicious code is less than 300 kb. If you scan its actual size, you might find it malicious. In addition, if you look for the file’s properties, you might notice that it isn’t a .pdf file but another kind like .scr, which should be alarming. SCR files (.scr) are usually for screensavers, but when a file appears to be something else than it should be, you need to be cautious.
When the victim executes the file, nothing seems to happen. But in the background is harvesting all your locally stored info and browser’s activity. Then, taking advantage of your session ID/token, your accounts are under the hackers’ control or even remotely controlled. And this is how many YouTubers fall for this scam. Two-factor authentication and other prevention mechanisms are not enough. No one is 100% safe, and hackers/scammers continually try to find new ways. We must be cautious; new means of protection or hardening existing ones is more than advised. The Internet is a wild jungle and might be dangerous for anyone.
The LTT hack revealed that being a Cyber-Attack victim is not tricky. Even the “strongest” might fall. We need to be cautious and hope that companies like YouTube advance their defense mechanisms so that their users can be protected in the best possible way and, at the same time, find ways for being easier to take back your account’s control. Sometimes losing access to your account because of unnecessary sec features is way riskier than getting hacked. So, we hope for the best. Stay in the know, and stay safe.