I contacted James Houghton, CEO at security awareness training platform Phishing Tackle, who says that this is an "extremely impressive and coordinated attack, potentially using man-in-the-middle or reverse-proxy based interception," for the real-time capture of two-factor authentication codes. This all sounds very high-tech and sophisticated, but "the vulnerability here is still the human," Houghton says, "this attack relies on an individual clicking and following a click before checking the basics." Houghton says that the problem primarily comes down to a "lack of knowledge surrounding what to look out for in a phishing email and conversely what to look for in a legitimate email."
These phishing emails are usually constructed well and "can look genuine at first glance, even to the trained eye," says Jake Moore, cybersecurity specialist at ESET. "Telltale signs such as the link shown in the body of the email or even questioning why you have been sent it in the first place should be enough to pause your actions," Moore says.
Then there's the cloned Google login page that the link would have landed at. The URL for this mirrored page wasn't "looked at with enough vigilance," says Houghton, as this would likely be obfuscated in some way and not the same as the original Google account page. It used to be the case that the lack of an HTTPS certificate for a site, signified by the green padlock or similar in the browser address bar, would be enough to set alarm bells ringing, generally speaking. That's not the case now, and "the removal of Extended Validation (EV) information in the address bar," Houghton says, makes it much harder to spot. Not, of course, that a site with an SSL certificate is any guarantee of validity; it just means that the site owner has protected the communications channel between browser and website, nothing more.
Despite 2FA apparently having been circumvented for at least some of these YouTube account attacks; Jake Moore says that it's still essential that "every account you own should utilize 2FA." However, this should "ideally be an authenticator app rather than a code sent over SMS," Moore says
Security researcher Sean Wright says that people should also look at the use of "Universal 2nd Factor (U2F) tokens for 2FA," as these, "to date have stood up to phishing attempts." U2F is an open authentication standard as supported by Yubico and Google Titan hardware security keys. Influencers and other creators with large followings should also consider "looking at Google’s Advanced Protection Program," Wright says. This adds another layer of protection into the mix, requiring two security keys. It does also mean that some third-party apps won't be allowed anymore, but that's a small price to pay for hardened Google account security.
What does YouTube say?
A YouTube spokesperson sent me the following statement after this article originally published:
“We have not seen evidence of an increase in hacking attempts over the weekend. We take account security very seriously and regularly notify users when we detect suspicious activity. We encourage users to enable two-factor authentication as part of Google's account Security Checkup, which decreases the risk of hacking. If a user has reason to believe their account was compromised, they can notify our team to secure the account and regain control. "
That YouTube has not seen evidence of an increase in hacking attempts is at odds with the swathe of account takeover reports that the ZDNet investigation confirmed across the last week, peaking at the weekend. However, the fact remains that this is a good time to take heed of the warnings concerning account hijacking and the coordinated hacking campaign that has been reported.
0 Comments