Stream-jacking attacks have gained some traction this year. These attacks hijack streaming accounts on popular sites to impersonate known brands and push crypto-scams.
BitDefender published an analysis of one of the larger attacks on its blog this week. The security company discovered a large operation that hijacked more than 1100 streaming video channels.
The hijacked channels had a median view count of more than 200000 views and a median subscriber count of more than 2200. The largest hijacked channel had a subscriber count of 9.9 million. The three largest hijacked channels view counts of more than 1 billion.
The attacker changed several of the channel names and handles to mimic official Tesla channels. Livestreams with officially sounding titles were streamed then to subscribers and others using old Tesla footage. The attacker displayed links to users to promote scams.
BitDefender writes:
Links propagated via hijacked YouTube channels promote a similar and well-known scam. The ruse involves sending any amount of cryptocurrency (Bitcoin, Ethereum, USDT, Dogecoin, BNB, Shiba Inu, etc.) and promises to send double the amount back to the scammed person. In rare cases, phishing links are written directly in the video.
BitDefender did not find any “old” videos of the channel, and the company suggests that these were either set to private ore deleted entirely by the attacker.
How the attack starts
Most attacks start with targeted phishing emails. The attacker creates well crafted emails, that often look like business opportunities. It could include information about a sponsorship deal or other form of collaboration.
Another popular email type informs the channel owner about copyright notices, which are fake.
The attackers try to use emails and email addresses that look legitimate to the untrained eye. It mimics “communications from trusted third-party vendors” or uses “email addresses that don’t raise immediate suspicion”, says BitDefender.
The goal of the attacker is to get the recipient of the email to download and execute a malicious file. Since security software may stop these before they are downloaded by the user, it is often inflated in size to prevent the scanning.
The software scans the system for valuable information, including cookies and session tokens. These may allow the attacker to take over the channel without knowing the account password.
How to protect yourself against Stream-jacking attacks
Stream-jacking attacks start like any other phishing attack. It is therefor essential to be able to identify phishing attacks.
Here are the essentials:
- Emails that use non-personal greetings, e.g., without a name.
- Emails that include attachments, especially if the file format looks dubious, e.g., .exe or .scv.
- If the email address imitates that of a legitimate company, but not fully. Examples include using a different country extension or a slightly wrong spelling of the company name in the email address.
Other factors include spelling or grammar mistakes, prompts to take urgent action or offers that sound too good to be true.
One of the best protections is to avoid interacting with the email directly. Never open attachments if the sender is not trusted or you aren’t expecting an email with an attachment.
A good starting point is to do some research using a search engine. Try to find out if a company is legitimate or if others have worked with it in the past already.
Sometimes, all it may take is to sign-in to the account to check if an official notification is available. At other times, contacting a support representative of the streaming service may also help in the matter.