8th December 2023

The hijacking of YouTube accounts to advertise bogus cryptocurrency schemes is nothing new. At Netcraft, we’ve beforehand blogged in regards to the scale of cryptocurrency scams, and we noticed assaults on not less than 2,000 distinct IP addresses each month up to now 12 months. Cryptocurrency-themed assaults stay standard with cybercriminals, however yesterday we had the chance to look at the latest high-profile assault on LinusTechTips because it unfolded.

This weblog publish explains what we noticed, and the way we protected our customers from the rip-off websites hours earlier than the compromised channels had been taken down. All instances on this publish are GMT.

Timeline of the assault

On March 23rd, at roughly 10.30am, we observed that LinusTechTips (LTT), a preferred YouTube channel with over 15 million subscribers, had been compromised to advertise a Tesla-themed cryptocurrency rip-off. Two of LTT’s associated channels (Techquickie and TechLinked) had been additionally compromised. The assault began in the midst of the night time Vancouver time (the place LTT is predicated), probably to maximise the period of time earlier than the account holders observed.

Three domains had been used whereas the YouTube hack was energetic, which potential victims had been directed to whereas the pretend video was streaming (through the dwell chat and a QR code displayed on the display). These domains had been:

All three of those domains had been registered with the identical registrar (NiceNIC) and registrant particulars. Whereas the primary area was registered on March 18th (a number of days earlier than the assault), the opposite two had been registered on March 23rd – that’s, whereas the assault was ongoing. These two domains additionally embrace “ltt” to indicate a relationship with LinusTechTips.

Shortly after the assault went dwell, Cloudflare positioned a phishing warning on the primary area getting used for the assault (tesla-online[.]internet). In response, the attacker registered and deployed the opposite two domains (tesla-ltt[.]com and teslaltt[.]com), and up to date the hyperlinks being promoted on the compromised channels accordingly. This exhibits that the attacker behind this was actively “behind the wheel” and making reactive modifications because the assault unfolded, not like phishing assaults the place a fraudster could deploy a phishing web site after which passively harvest credentials over time.

Round 11:30am, the principle LTT channel was utterly terminated by YouTube for “violating YouTube’s Group Pointers”. The opposite affected channels, TechLinked and Techquickie, had been terminated by 1:30pm.

Netcraft blocked the preliminary area used for the assault (tesla-online[.]internet) four days earlier than the YouTube hack, and we additionally blocked the 2 new domains (tesla-ltt[.]com and teslaltt[.]com) inside two hours of them being registered and deployed. Even earlier than YouTube observed and took motion in opposition to the dwell channels, customers of Netcraft’s extensions and feeds had been already protected.

Abstract of the LTT assault noticed by Netcraft (all instances in GMT)

March 18th 23:09 Attacker registers tesla-online[.]internet.
March 19th 01:06 Netcraft blocks tesla-online[.]internet.
March 23rd Shortly earlier than 10:30 LTT YouTube channel and associated channels (Techquickie and TechLinked) start to advertise the rip-off, initially utilizing tesla-online[.]internet.
10:30 Netcraft notices the principle LTT channel is hacked and begins monitoring. tesla-online[.]internet was not displaying the Cloudflare warning at this level.
Someday after 10:30 Cloudflare provides warning to tesla-online[.]internet.
Round 11:30 LTT channel is terminated by YouTube, however the assault continues to be energetic on sub-channels.
11:33 Attacker registers and deploys tesla-ltt[.]com.
12:09 Attacker registers and deploys teslaltt[.]com.
12:10 Netcraft notices new domains being promoted on associated channels.
12:17 Netcraft blocks tesla-ltt[.]com.
13:08 Netcraft blocks teslaltt[.]com.
13:30 All remaining affected channels terminated by YouTube.

Anatomy of the assault

With a view to revenue from hijacking a YouTube account to advertise a cryptocurrency rip-off, the attacker goals to convey two issues to their sufferer:

  • it’s the legit account of a well known model or particular person, akin to Tesla or Elon Musk, promising them a sum of cryptocurrency.
  • they need to go to a linked rip-off URL being promoted to get this sum of cash, which has the precise payload (i.e. the wallets the attacker needs victims to ship their cryptocurrency to).

The compromised channel was renamed to teslaaliveonline1, with convincing-looking branding.

Screenshot from Wayback Machine showing a capture of the renamed channel as of 10:21am on March 23rd

Screenshot from Wayback Machine exhibiting a seize of the renamed channel as of 10:21am on March 23rd.

To advertise the rip-off URL, the attacker began livestreams of a dialogue between Elon Musk, Cathie Wooden and Jack Dorsey about cryptocurrency. Whereas the intention is to seem like a dwell dialogue, it’s a pre-recorded video stolen from an older livestream by the channel ARK Make investments. ARK Make investments state in a remark that it’s conscious of hacked third-party YouTube channels making use of the video on this method.

Victims had been directed to the rip-off URL(s) in two methods:

  • In an overlay above the video, there was an image of a spoofed tweet from Elon saying that “Your life will change inside minutes should you scan the QR code”. The QR code goes to the rip-off URL.

  • Within the dwell chat, the hacked account was used to make claims that customers can double their cryptocurrency and that some cryptocurrency had already been despatched to stream viewers, together with a hyperlink to the rip-off URL.

Screenshot while the attack was active showing the scam URL being promoted in the live chat and via QR code. At this point, the channel had been renamed to LinusTechTipsTemp.

Screenshot whereas the assault was energetic exhibiting the rip-off URL being promoted within the dwell chat and through QR code. At this level, the channel had been renamed to LinusTechTipsTemp.

The attacker actively restricted dwell posting from different accounts, to discourage folks from warning different customers of the rip-off.

Moreover, the descriptions of earlier recorded livestreams had been renamed to incorporate a hyperlink to the rip-off URL(s):

An older stream from LTT with an updated description containing the scam URL

An older stream from LTT with an up to date description containing the rip-off URL.

As soon as Cloudflare positioned a warning web page on tesla-online[.]internet, the hyperlinks from the QR code and within the livestream had been up to date whereas the stream was dwell, to level to the brand new domains (tesla-ltt[.]com and teslaltt[.]com).

The rip-off URLs declare Tesla is internet hosting a giveaway of $100,000,000 in cryptocurrency. On the web page are addresses of the assorted cryptocurrency wallets that victims had been instructed to ship their cryptocurrency to, which allegedly return contributors twice the quantity of the foreign money despatched:

Screenshots of content on the scam URLs being promoted
Screenshots of content on the scam URLs being promoted

Screenshots of content material on the rip-off URLs being promoted.

When Netcraft visited the websites, the identical pockets addresses had been being marketed on tesla-online[.]internet and teslaltt[.]internet. Of their haste to arrange new websites for the rip-off, the attacker had damaged pockets hyperlinks on tesla-ltt[.]internet (the corresponding QR codes are additionally damaged and don’t comprise pockets addresses):

Broken links on tesla-ltt[.]com, displaying placeholders where the wallet links should be

Damaged hyperlinks on tesla-ltt[.]com, displaying placeholders the place the pockets hyperlinks needs to be.

We additionally noticed the pockets addresses marketed on the websites being up to date not less than as soon as over the course of the assault. Primarily based on the transactions made to the pockets addresses we noticed, the attacker managed to generate over $14,000 in BTC and ETH on March 23rd, regardless of the assault being dwell for under a small variety of hours.

LinusTechTips defined how its YouTube account was compromised by the attacker in a video posted at this time.

How can Netcraft assist?

Netcraft is the world chief in cybercrime detection, disruption, and takedown, and has been defending corporations on-line since 1996. We analyze tens of millions of suspected malicious websites every day, sometimes blocking an assault inside minutes of discovery.

  • Netcraft gives cybercrime detection, disruption and takedown companies to organizations worldwide together with 12 of the highest 50 international banks and the largest cryptocurrency change ranked by quantity. We carry out takedowns for round one third of the world’s phishing assaults and take down 90+ assault sorts at a fee of 1 assault each 15 seconds. We will help defend your group in opposition to cryptocurrency scams leveraging your model’s identification.

  • The Netcraft browser extension and cell apps block fraudulent websites, together with the cryptocurrency rip-off websites that had been used on this assault. Our malicious web site feeds defend billions of individuals all over the world from phishing, malware, and different cybercrime actions.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.