Safeguards are helpful. But if you walk into a trap, you’re screwed.
Cryptocurrency scammers regularly impersonate public figures on social media. It’s an easy trick; change your name to Joe Rogan, open a sweepstakes or investment opportunity, and run off with the cash. But if you want to make a killing on crypto scams, you need to hack someone’s account.
If you’re running a low-risk scam, you might hack a local business or some random dude on Facebook. From there, you can cast a wide net and send every friend or mutual a link to a scam. Or, you can contact specific people who might be easy victims—“Grandma, please don’t tell my parents, but I got arrested, and I need Bitcoin to pay bail!”
Scammers with a bit of gumption will usually target large accounts. The most recent example is the Linus Tech Tips YouTube channel, which was hacked on March 23rd (along with other channels owned by Linus Media Group). The hackers changed the Linus Tech Tips account name to “Tesla,” aired a livestream of Elon Musk rambling about AI, and directed victims toward a crypto-based “investment opportunity.”
This scam is bringing light to Google’s somewhat-flawed account security protocols. And, thankfully, it’s alerting people to the fact that YouTube is full of scams. Dozens of channels, both large and small, have been hijacked to execute this exact scam. Linus Tech Tips is just the latest, largest, and most ironic example.
Google bears some of the responsibility for these hacks. As Linus Tech Tips notes in its “My Channel Was Deleted Last Night” video, social media platforms like YouTube should require authentication when someone randomly changes their username, delete a ton of content, or logs in from an unusual location. And, like banking websites, social media should regularly ask for re-authentication instead of leaving people logged in for several years at a time.
“But what about multi-factor authentication?” Here’s the thing; you don’t need a password to hijack an account. You don’t even need to deal with a victim’s multi-factor authentication. All you need is the session token from a device that’s currently logged into the target account—this token (it’s really just a cookie) tells the website “I was here earlier, don’t mind me!” Hence the need for more aggressive re-authorization on social media.
Whoever hijacked the Linus Tech Tips channel utilized a session token, making for a painless entry. This session token was retrieved from an employee who unwittingly opened a malicious PDF disguised as a sponsorship-related document.
And this is where you need to pay attention; any individual or organization can fall victim to a data breach. Safeguards are helpful, but if you walk into a trap, you’re screwed.
Nobody wants to admit that they’re the weakest link. And we often talk about security in oversimplified ways—install this password manager, set up this VPN, and you’re good! Yes, these steps are helpful, but we also need increased awareness and education. A recent TrueCaller report states that 68 million Americans (nearly a fifth of all U.S. citizens) fell victim to phishing schemes in 2022, resulting in a loss of $40 billion.
Google can fix some of YouTube’s security problems, but it can’t teach you to question every email or social media post that comes your way. Unfortunately, there isn’t a clear way to teach people about cybersecurity, especially as hacking and phishing methods constantly morph and evolve. It seems that the best way to learn about this stuff is to look at other peoples’ mistakes, and I suggest that you do so.
