YouTube channel got hacked: how, timeline, and recovery.

I guess the blackmagick thing is a good bait for creators!

It would literally be the easiest thing to check for:
- large account
- password change protocol
- crypto video uploads
- old video removal / hidden.
Happens like that every time. Google, owners and developers of most advanced AI around: *crickets*

Channel name, profile picture AND PASSWORD change all at once shouldn't even be allowed, let alone from a far different IP. Not even a two-step verification prompt? It's like they're not even trying to address the glaring issue.

Linus Tech Tips got taken for awhile, don't feel bad.

@@matthiaswandel My thought was: WHAT THE F is he doing, vacation, more babies, holidays (which I absolutely support ... sorry, like that was my business, just joking!)??? Because I was irritated that all the Playlists went down the drain.
I'm glad you are back, hopefully with not that big of a chaos! Humans fall for scammers. Well ... do not use Microsoft:P (That's a scammer, too!)
So, now do not fall victim to snake-oil. Like all of those wonderful and "honest" tips given here in the comments, hehehe:)
While I personally would like to see a proprietary BM-camera SSD mount (OUT OF WOOD!), I am not that hyped for 8k wood pr0n.
Ich bin mit dem C64 aufgewachsen. So I can live with 320 × 200 Pixels:P
I wish you a smooth data recovery journey, Matthias!:)
Edit: Documenting the Nuke with MICROSOFT Excel shows that you have balls! (or your value as a hobby-comedian, hehehe). And please do not answer this: By the beard of my Granny, what email-client ALLOWS you to RUN executable files (you said .scr, I remember)??? Hehehehe, please forgive me for the schadenfreude, but also the amazement. Welcome Back, new Black Magic customer;)

So true! This is one of the very first parameters that I change on a new computer, mine or otherwise. I don’t get why this is an option to begin with, the mere convenience is absolutely not worth the risk.

And you can repeat this complaint for email clients that just show the sender name and not the email, and especially the the envelope sender.

First thing I do when given a new windoze machine is switch that back on, I abhor not seeing the extensions....

this is the same thing i thought when he mentioned that the file type was a screen saver..
when i switched to a new windows, this stuff annoyed me so i changed it back.. and i do this for every computer i use, even if it is not mine, people either not notice or thank me for it..

I can’t stand not having extensions visible.

and remove all the crapware it comes with, and I have to figure out how to ignore the stupid onedrive crap, and on and on and on. not looking forward to it.

@@matthiaswandel Chris Titus Tech has a windows crapware cleanup script that may help you with onedrive and such
I don't use windows at home so cant' say for sure just how efficacious it is

@@matthiaswandel I seem to remember the trick to avoid much of the MS login and other stuff, is to install while not connected to a network. I usually buy refurb PCs and the ones I've gotten come with a surprisingly clean windows install

howtogeek usually has nice guides on how to remove bloatware like that from Windows.@@matthiaswandel

@@matthiaswandelall the bloatware is such a pain. i wish things could go back to the windows 3.1 day when you just installed the basic operating system without all the garbage most people don't use. but glad you caught the hack as soon as you did

@JeffGeerling Can you help @mattiaswandel find a Linux video editing setup pls? At least figure out how to daily drive Linux and keep Windows VM for video editing or some solution to prevent this happening to him. 😀

1 reply after 6 hours? Jeffery! OK. We can start calling you "One Reply Jeff" and you can join the rest of us in the nose bleed section I don't know who you pssssst off but I don't want to micromanage. I myself got II, "dos". Se pronuncia "dohs", 2, TWO in a 8 hour period. SLAP IT HIGH! Well, at least you seem more 'approachable now' Cheers my temporary new friend. Oh krap!!!! My reply is #2. Foiled again!

​​@@plusmanikantanr why? Linux isn't the answer to everything.

​@@plusmanikantanr Jeff edits on Mac.

Pretty sure you're already compromised with the LTT-Worm. Luckily it's no that harmful. It just *drops* all your network packets

​@@MrKeschyIs that why I'm connected but have no internet.

I can only read this hearing your voice and inflection

wow mw is famous

Microsoft Defender is actually well above average, as AV software goes. This was apparently a custom executable, so no AV software would have flagged it as a known virus.
AV software isn't a replacement for not running random executables from sources you didn't even bother to check, just like having a functional immune system doesn't mean you should lick random objects left on your doorstep.

20MB file is probably why

antivirus works on patterns and signatures. if this is new or custom malware that doesn't use common patterns, no scanner will find it until their definitions are updated

I don't think this is a defender issue. They probably encrypted the malware itself and using a custom bootstraps

@@droopy_eyes To clarify, this *type* of scam has been around for a long time. It's unlikely that the executable is identical, and code obfuscation is quite effective. Ideally certain AV software should be able to recognize some of the patterns of obfuscated code, but using VirusTotal on a known-bad file is a great way to see how many AV's *won't* catch something. Not all malicious code is a cryptolocker, it's a bit of a farce that many people think viruses' goal is to slow down their computer. Often the worst pieces of malware are the ones that seem to do nothing, or exactly what they claim to do.

they added 2fa using the session. I think carrying out this attack and getting around protections is far from straightforward.

looks like youtube is unfortunately not interested in fixing this mess...

It already works like that, changing security settings (even if you're already logged in) requires authentication. But that only happens if you have 2FA enabled of course. It's been like that for a long time I believe.

Changing a password or adding 2fa should always require another password entry and not rely on a session key. Since they had your gmail session key a 2fa with your email would not have helped.

@@matthiaswandel Meanwhile I have two google accounts that are impossible to get into because google required two factor on them (security questions) and of course that was insane. I made them all a bunch of random numbers I have saved on a pen drive. BUT google won't let them ever log in because two factor is required and security questions is a disabled two factor method. Pure geniuses over there.

Yeah. I was going to say something about the use of a USB drive to move the video file from the hacked computer to another computer. The hackers could have inserted another malware that could infect the USB and make it a vector for infecting the other computer.

When this happened to Linus Tech Tips, they took no chances and physically destroyed the hard drive and motherboard (BIOS) to make absolutely sure no one could ever be affected by any possible lingering threat on that PC.

@@JanTuts also what I was thinking, with Matthias' frugal nature I doubt he would want to destroy the hard drive and bios if they still work, but I don't know enough about how much information from the original hack could still be on the hardware even through a clean install to know if it would be necessary or not. For sure it would be critical to also change microsoft credentials and add 2FA if possible just to be safe

@@JanTuts Well, they have the resources to be able to throw away computers any time they like. Also, it was content that they could use to make even more money. If I had a job where I could make money from destroying computers, I wouldn't hesitate either.
In reality, the likelihood of the hardware itself being compromised is rather low, and the risk is low enough for the average person that it isn't worth the expense of destroying hardware.

He could perhaps make a backup image of the disk and then let an antivirus program scan the image.

Yeah I saw this Ripple thing in my subs and was like… who is this and why did I sub to it?

If you clicked on the channel name, and looked at the URL, it still showed the channel URL as Matthias Wandel. So it was easy to figure out if you knew where to look.

@@bradley3549 Everything's easy to figure out if you know where to look.

Coming from a domain to some random California based crane company.... Should probably tell Brian at Crainco that his email is compromised

Yeah "glad to hear that we managed to interest you" is an obvious red flag. I have read/seen that hackers deliberately put slightly dubious language in their communication to make sure that anyone more security savvy / actually paying attention will notice and delete the email, therefore not wasting the hackers time. Anyone who does not notice this is often more gullible/ stressed etc and so more likely to be an easy target. This might be sound harsh, but it is clearly shown here again with that first sentence.

Watch to the end. its those dammed Russians!

*damned@@matthiaswandel
Probably the Chinese pretending to be the Reds
lol Its like the 50's again duck and cover

​@@loucipher67 I guess it's time to break out the old air raid siren.

@@matthiaswandel you could not know it for sure, only in case if you know this hacker personally. Google (or any other service) does not know real device geo-position: it is calculated by the network IP addresses. And there are two big problems: you could mask or set any IP address you would like to have, VPN technically gives you any IP address you would like to have (and as the result - any geo-position). So this hacker may be in any place in the world, even in the next house of you. And you never find it out. How good do you know your neighbors? Just kidding. Usually any attacks are built through the intermediate victim - it is small server or PC, hacked to hide real hacker location and identity. Its owner does not even know about it. And just in case: if my nickname causes a lot of mistrust to you - i am an evil russian after all, you may ask any network or security engineer you trust. In private dialogue

@@loucipher67 Nah, it's the ruzzians. They're desperate for cash, the country is imploding. Not that china isn't, but not anywhere near as fast as ruzkis are.

I hadn't enabled 2-factor authetication on that account. like I said, that would probably have saved it.

@@matthiaswandel I think what aminorityofone is suggesting is that strange or out-of-character goings on should automatically escalate to 2-factor even on accounts that don't have it turned on. Google do, presumably HAVE the info needed to contact you a second way for verification purposes.

​@@SuperDavidEF yeah they probably know your regular gas station and tell you to get your 2FA code from the clerk behind the counter that's on shift.

@@matthiaswandel it wouldn't help unfortunately, youtube really needs to fix this

TH-cam can't stop people from opening the door and inviting the attacker in. This attack (as session hijack) bypasses 2-factor.

Important clarification, session hijacking doesn't bypass 2FA. Session hijacking allows the hack to act as if they are the authenticated user until the session expires. During that time they have the same access you do when you login to your account. When they try to change your password, if you had previously enabled 2FA for this action AND google/youtube always apply the 2FA check, they would not be able to bypass 2FA and the account owner will get a confirmation sms which they would obviously reject. The issue is even if you enable 2FA, google for some ridiculous reason don't apply it 100% of the time when changing password/email. That is the issue.

​@@Ash_18037 the lack of reliable 2FA is mental. But the problem is why given your cookies someone can change your password. If hackers do account recovery then phone or recovery email should be required which I won't call 2FA, I call it reasonable 2015+ reset password mechanism.

​@@Ash_18037 Can they see the passwords saved in Chrome browser with session hijacking? Normally you have to enter your Windows session password in order to see or copy them.

@@Ash_18037 thank you, yes you are correct. Poorly worded on my behalf. If websites made you re-authenticate with 2FA to make account changes, a lot of these attacks would be thwarted.

@@Ash_18037 : I am out of my depth here, but if they hijack an open session, would they not be able to change the contact number use for 2FA, or would attempting this trigger a 2FA check to the original number first?

yes, hoping some of those 5k subs that left will see this and re-sub.

​@@matthiaswandelI was one of them! Resubbed already.
Gut das alles überstanden ist. Die neue SSD ist sicher nicht verkehrt. Pass auf dich auf Matthias :)

I didn't unsub, but was "unsubbed" somehow anyways. Can you tell who left because of the new content and who got removed? @@matthiaswandel

No, it doesn't. Just read the comments from all the people who "know better"

There's different levels. People less familiar with computers generally might be tricked more easily. But modern OSes are also extremely complicated and humans aren't very good at being meticulous and consistent. But in this case it's just egregious that Windows even still supports running screensavers like this.

@@Furiends I agree, Windows is far from ideal, but my main point is that everyone can be tired, or in a rush, or blind-sighted by a goal, and miss some tell-tale sign. And social engineers are getting smarter, and their schemes become more elaborate.
Everyone is at risk, no matter how smart or savvy. And everyone should assume that everything is a scam by default.

yeah, but it's not like you need twitter these days. It's a wretched hive of scum and villainy now.

They did it for your own good.

It pretty simply to change that behavior by going into file explorer control panel. Most people who are smart enough to even know what file extensions are/do already have done that. And realistically, most crims are able to use a vuln/exploit on most file extensions so it wouldn't matter that much. These crims were pretty basic, just smart enough to use a spell checker and well written bait.
I think the mention of $6K got Matthias' interest enough that he totally missed it was the old .screensaver exploit known about for 2 decades....

I think they played an elaborate game of creating lots of sessions and such to get around any algorithm that would detect this.

@@matthiaswandel Yeah. I get how they do it, I just don't see why a huge platform like youtube doesn't have safeguards in place to prevent session hijacks. For someone with no budget, just playing with making websites for the learning experience, it is pretty easy to make sure a session is tied to a an IP, or a general location, and/or a system with the basic specs. For a company with money, or knowledgeable people, you can tie it to exact specs of a single device with various scrips.
I'm just confused that with as often as the session hijack seems to happen, TH-cam hasn't at the least, added a check box to allow people that want it to require a full log in or two-factor authentication before major channel settings or methods of access to the account can be changed.

@@johngaltline9933 Probably so you can take the computer with you on travels, or get a new IP from the ISP without getting logged out?
In my experience, you do not get logged out from google unless you clear cookies or delete the session from the google page.
Moving a laptop between networks clearly do not log you out. (with 2 factor e.t.c.)
Chrome may have some creative solutions there, but I do not know for sure.

@@johngaltline9933 Tying sessions to IP is not feasible in the modern world full of VPNs, laptops, mobile phones and WiFi hotspots. And if the attacker manages to execute something on the target computer they already have full access to all the hardware details which makes them trivial to spoof. 2FA is pretty much the only thing that works when the user's hardware is compromised.

In the realm of IPv4, not every device has a fixed IP, so, every time a device gets a new IP, the cookies are rendered invalid. Bad side effects. Some devices have GPS, some don't. Requiring geo location data during session cookies creation is a non-starter. How about MAC address of the device? That might work in some cases; in others, it may not. Reason being that some network device/software/driver actually swaps the real one with a dynamically generated one. And the generated one can change at anytime. Same issues as IP.

Me too, been doing that for nearly three decades now.

From my understanding of how this works, a VM wouldn't have stopped it.

@@shawnsg use a linux distribution for your virtual machine guest os. Something easy like Linux Mint. An exe is not worth much on a Linux machine.

@@frederickwood9116 alternatively, just check the emails on a phone.

Low paid Russians trying to get western currecny via crypto scams to pay for their stupid war. Probably didn't make that much $ off this one, but still.

Hehehe

Since windows security didn't pick it up. Do you know what kind of anti virus that is good at detecting these hacks? I receive many WinRAR files as part of my work. I am relying on the built-in window 10 security system to protect my PC. But in this case Mathias wasn't able to detect it using Windows security

@@alianbaba9330 Most people with a modicum of experience would have a seperate A/V running, or like me, would have uploaded the file to something like virustotal which will scan with ~20 different brand name scanners. This was beyond embarrassing.

@@alianbaba9330 Consider that unlike an exploit this is a payload the user runs. (which is insane Windows allows this). Given what the payload does it would be antithetical for antivirus to block is because then what's the point of programs on your computer? Imagine something like:
Reads files on your computer
Loads web page
Use webpage text for path of file to upload
Where is the malicious code here? You wouldn't be able to run an email client. Now on Android there is at least per app security context.

Shouldn't he be worried about other devices on his network? Is he really "done" with this issue by simply unplugging the PC?

@@alianbaba9330
NOD32, Sophos, etc there are quite a lot of real-time detection anti-virus/anti-malware software out there to choose from that have relatively low resource impact on your machine. These two aren't free but there are some that are.

thats what hapened to linus tech tips.
But .. They wouldn't be able to change the password with MFA. So once figured out whats happening, I could have changed the password, which would have killed all the other sessions.

​@@matthiaswandelsince they where already logged in on the hijacked session, they can simply turn of 2FA, and then change the password

@@matthiaswandel Not with the current solution you couldn't.
Your first sign of a problem would be the changed email, which doesn't currently require MFA.
The new email is their second factor, so you end up with the same problem.
We are back to requiring MFA on all account changes. Which should be a thing on EVERY account with more than like 10k subs.[1]
Hell, the session keys should be based on geographic locations anyway.
Restricting the keys to a machine hash could cause a ton of problems. But restricting a session established from a specific local ISP from suddenly reconnecting from another continent should be a no-brainer and trivial to implement, even if it would still allow attackers to bypass it with local proxies. At least it would provide another speed bump.
[1] Remember that these accounts are being used to run scams. It isn't JUST about the account holder getting screwed when they lose access to their channel. This is also a public safety issue. Monetization doesn't matter. Audience exposure does. Channels over a certain threshold are a public threat, since they are the targets for scam use.

@@earld1403 in theory, when you log out, your session token should be deemed invalid. Which should in turn make it so your session can't be hijacked.
But this also depends on how well the application was coded. Some applications might not invalidate session tokens when a logout occurs, this would be a security vulnerability.

@@earld1403 You can simply start a new private/incognito window and close it when done. Nothing is saved unless you download something.

what else should they use? email is to susceptible to spam that way.

@@matthiaswandel they could host a webpage with a form you can actually use. But I guess that's asking a bit much of a tech company only worth 1.766 trillion dollars.

Think of it like airport security.
If someone wants to do bad things to the plumbing of an airport, you want to catch them when they are trying to go through the passenger security line wearing a plumbing uniform and carrying a bunch of tools. That is where they will stand out.
Once they are on the other side of security, a plumber wearing a uniform and wheeling around a cart with pluming tools between every bathroom is pretty normal.
Hiding an executable in an email is the important part, because emails almost never have executables attached. That is the red flag.
Once it is on your computer, the executable doesn't really have to do "bad" stuff to accomplish it's goal. There isn't much to scan for.

@@droopy_eyes - RAR is no more "ancient" than plain ZIP, which is still by far the most common format. 7Z and RAR4 are indeed better (especially after you tweak a couple of compression parameters), but with internet speeds having increased so much, most people don't care about size, so they stick to the older ZIP format for compatibility.
What really surprised me was that he didn't have file extensions visible. That would have made it immediately obvious it was in a dodgy file format (SCR).

@@droopy_eyes You don't know the corporate world. It's a blood sport to make as much official communication as possible look indistinguishable from scams.

There is nothing wrong with winrar. It's just a more efficient compressor than zip. Hackers use it because it's better than zip. Just Like hackers use computers cause they are better than calculators.

What you're "missing" is that Google don't really care. They could certainly fix it if they wanted to.

givem all the stuff the hackers did, I'm prettu sure much of it was to fool google's algorithms into complacency. Like I explained.

@@matthiaswandel yes sorry you did, but those looked like new logons from different locations to mess with the AI systems, not the original session.
Again glad to have you back

When I was phised on Steam they used a VPN to get a UK login, which I stupidly accepted on Steam Guard's 2FA because it didn't say "RUSSIA".

wasn't air gapped. Just that the hacker grabbed all the sessions off my main browser, not realizing I use two.

And he'll do it with some scrap wood from the roadside....

2fa wouldn't help in this case unfortunately. you just have to be very careful with what you are opening, in general you should never open attachments from unknown senders.

and 4,5,6,7,8 and 9 - Be VERY careful what you click and download.

@@riba2233 Unless I am misunderstanding, he seems to say 2FA might have at least helped: 9:44 The idea is (According to a comment below)" They wouldn't be able to change the password with MFA. So once figured out whats happening, I could have changed the password, which would have killed all the other sessions."