Book Mark

Ike.ninja

Linux Fun
  • Home
  • How to
  • Reference Links
  • Categories
    • Releases
    • Plesk
    • Community
    • CMS
    • security
    • MYSQL
    • cPanel
  • Tools
    • IP Checker
    • Byte Converter
RSS

LinusTechTips YouTube channels hacked to promote cryptoscams

Mar24
by Ike on March 24, 2023 at 5:45 pm
Posted In: Around the Net, security

The hijacking of YouTube accounts to promote bogus cryptocurrency schemes is nothing new. At Netcraft, we’ve previously blogged about the scale of cryptocurrency scams, and we saw attacks on at least 2,000 distinct IP addresses every month in the past year. Cryptocurrency-themed attacks remain popular with cybercriminals, but yesterday we had the opportunity to observe the recent high-profile attack on LinusTechTips as it unfolded.

This blog post explains what we saw, and how we protected our users from the scam sites hours before the compromised channels were taken down. All times in this post are GMT.

Timeline of the attack

On March 23rd, at approximately 10.30am, we noticed that LinusTechTips (LTT), a popular YouTube channel with over 15 million subscribers, had been compromised to promote a Tesla-themed cryptocurrency scam. Two of LTT’s related channels (Techquickie and TechLinked) were also compromised. The attack started in the middle of the night Vancouver time (where LTT is based), possibly to maximise the amount of time before the account holders noticed.

Three domains were used while the YouTube hack was active, which potential victims were directed to while the fake video was streaming (via the live chat and a QR code displayed on the screen). These domains were:

  • tesla-online[.]net (site report)
  • tesla-ltt[.]com (site report)
  • teslaltt[.]com (site report)

All three of these domains were registered with the same registrar (NiceNIC) and registrant details. While the first domain was registered on March 18th (a few days before the attack), the other two were registered on March 23rd – that is, while the attack was ongoing. These two domains also include “ltt” to imply a relationship with LinusTechTips.

Shortly after the attack went live, Cloudflare placed a phishing warning on the first domain being used for the attack (tesla-online[.]net). In response, the attacker registered and deployed the other two domains (tesla-ltt[.]com and teslaltt[.]com), and updated the links being promoted on the compromised channels accordingly. This shows that the attacker behind this was actively “behind the wheel” and making reactive changes as the attack unfolded, unlike phishing attacks where a fraudster may deploy a phishing site and then passively harvest credentials over time.

Around 11:30am, the main LTT channel was completely terminated by YouTube for “violating YouTube’s Community Guidelines”. The other affected channels, TechLinked and Techquickie, were terminated by 1:30pm.

Netcraft blocked the initial domain used for the attack (tesla-online[.]net) 4 days before the YouTube hack, and we also blocked the two new domains (tesla-ltt[.]com and teslaltt[.]com) within two hours of them being registered and deployed. Even before YouTube noticed and took action against the live channels, users of Netcraft’s extensions and feeds were already protected.

Summary of the LTT attack observed by Netcraft (all times in GMT)

March 18th 23:09 Attacker registers tesla-online[.]net.
March 19th 01:06 Netcraft blocks tesla-online[.]net.
March 23rd Shortly before 10:30 LTT YouTube channel and related channels (Techquickie and TechLinked) begin to promote the scam, initially using tesla-online[.]net.
10:30 Netcraft notices the main LTT channel is hacked and begins monitoring. tesla-online[.]net was not displaying the Cloudflare warning at this point.
Sometime after 10:30 Cloudflare adds warning to tesla-online[.]net.
Around 11:30 LTT channel is terminated by YouTube, but the attack is still active on sub-channels.
11:33 Attacker registers and deploys tesla-ltt[.]com.
12:09 Attacker registers and deploys teslaltt[.]com.
12:10 Netcraft notices new domains being promoted on related channels.
12:17 Netcraft blocks tesla-ltt[.]com.
13:08 Netcraft blocks teslaltt[.]com.
13:30 All remaining affected channels terminated by YouTube.

Anatomy of the attack

In order to profit from hijacking a YouTube account to promote a cryptocurrency scam, the attacker aims to convey two things to their victim:

  • it is the legitimate account of a well-known brand or person, such as Tesla or Elon Musk, promising them a sum of cryptocurrency.
  • they should visit a linked scam URL being promoted to get this sum of money, which has the actual payload (i.e. the wallets the attacker wants victims to send their cryptocurrency to).

The compromised channel was renamed to teslaaliveonline1, with convincing-looking branding.

Screenshot from Wayback Machine showing a capture of the renamed channel as of 10:21am on March 23rd

Screenshot from Wayback Machine showing a capture of the renamed channel as of 10:21am on March 23rd.

To promote the scam URL, the attacker started livestreams of a discussion between Elon Musk, Cathie Wood and Jack Dorsey about cryptocurrency. While the intention is to appear like a live discussion, it is a pre-recorded video stolen from an older livestream by the channel ARK Invest. ARK Invest state in a comment that it is aware of hacked third-party YouTube channels making use of the video in this manner.

Victims were directed to the scam URL(s) in two ways:

  • In an overlay above the video, there was a picture of a spoofed tweet from Elon saying that “Your life will change within minutes if you scan the QR code”. The QR code goes to the scam URL.

  • In the live chat, the hacked account was used to make claims that users can double their cryptocurrency and that some cryptocurrency had already been sent to stream viewers, along with a link to the scam URL.

Screenshot while the attack was active showing the scam URL being promoted in the live chat and via QR code. At this point, the channel had been renamed to LinusTechTipsTemp.

Screenshot while the attack was active showing the scam URL being promoted in the live chat and via QR code. At this point, the channel had been renamed to LinusTechTipsTemp.

The attacker actively restricted live posting from other accounts, to deter people from warning other users of the scam.

Additionally, the descriptions of previous recorded livestreams were renamed to include a link to the scam URL(s):

An older stream from LTT with an updated description containing the scam URL

An older stream from LTT with an updated description containing the scam URL.

Once Cloudflare placed a warning page on tesla-online[.]net, the links from the QR code and in the livestream were updated while the stream was live, to point to the new domains (tesla-ltt[.]com and teslaltt[.]com).

The scam URLs claim Tesla is hosting a giveaway of $100,000,000 in cryptocurrency. On the page are addresses of the various cryptocurrency wallets that victims were instructed to send their cryptocurrency to, which allegedly return participants twice the amount of the currency sent:

Screenshots of content on the scam URLs being promoted
Screenshots of content on the scam URLs being promoted

Screenshots of content on the scam URLs being promoted.

When Netcraft visited the sites, the same wallet addresses were being advertised on tesla-online[.]net and teslaltt[.]net. In their haste to set up new sites for the scam, the attacker had broken wallet links on tesla-ltt[.]net (the corresponding QR codes are also broken and do not contain wallet addresses):

Broken links on tesla-ltt[.]com, displaying placeholders where the wallet links should be

Broken links on tesla-ltt[.]com, displaying placeholders where the wallet links should be.

We also spotted the wallet addresses advertised on the sites being updated at least once over the course of the attack. Based on the transactions made to the wallet addresses we observed, the attacker managed to generate over $14,000 in BTC and ETH on March 23rd, despite the attack being live for only a small number of hours.

LinusTechTips explained how its YouTube account was compromised by the attacker in a video posted today.

How can Netcraft help?

Netcraft is the world leader in cybercrime detection, disruption, and takedown, and has been protecting companies online since 1996. We analyze millions of suspected malicious sites each day, typically blocking an attack within minutes of discovery.

  • Netcraft provides cybercrime detection, disruption and takedown services to organizations worldwide including 12 of the top 50 global banks and the biggest cryptocurrency exchange ranked by volume. We perform takedowns for around one third of the world’s phishing attacks and take down 90+ attack types at a rate of 1 attack every 15 seconds. We can help defend your organization against cryptocurrency scams leveraging your brand’s identity.

  • The Netcraft browser extension and mobile apps block fraudulent sites, including the cryptocurrency scam sites that were used in this attack. Our malicious site feeds protect billions of people around the world from phishing, malware, and other cybercrime activities.

└ Tags: Around the Net, security
 Comment 

Ubuntu 5971-1: Graphviz vulnerabilities

Mar24
by Ike on March 24, 2023 at 3:15 am
Posted In: Ubuntu Linux Distribution - Security Advisories

Several security issues were fixed in graphviz.

└ Tags: Ubuntu Linux Distribution - Security Advisories
 Comment 

Fedora 37: gmailctl 2023-ca444fdecf

Mar24
by Ike on March 24, 2023 at 2:02 am
Posted In: Fedora Linux Distribution - Security Advisories

Rebuild for CVE-20220-{3064,41717,41723}

└ Tags: Fedora Linux Distribution - Security Advisories
 Comment 

Fedora 37: flatpak 2023-b0717d8c45

Mar24
by Ike on March 24, 2023 at 2:00 am
Posted In: Fedora Linux Distribution - Security Advisories

Update to 1.14.4 * Fix CVE-2023-28100 and CVE-2023-28101

└ Tags: Fedora Linux Distribution - Security Advisories
 Comment 

Ubuntu 5970-1: Linux kernel vulnerabilities

Mar24
by Ike on March 24, 2023 at 12:00 am
Posted In: Ubuntu Linux Distribution - Security Advisories

Several security issues were fixed in the Linux kernel.

└ Tags: Ubuntu Linux Distribution - Security Advisories
 Comment 
  • Page 1 of 2,100
  • 1
  • 2
  • 3
  • 4
  • 5
  • »
  • Last »

What’s New?

  • LinusTechTips YouTube channels hacked to promote cryptoscams
  • Ubuntu 5971-1: Graphviz vulnerabilities
  • Fedora 37: gmailctl 2023-ca444fdecf
  • Fedora 37: flatpak 2023-b0717d8c45
  • Ubuntu 5970-1: Linux kernel vulnerabilities
  • RedHat: RHSA-2023-1448:01 Moderate: Red Hat OpenShift Service Mesh
  • RedHat: RHSA-2023-1453:01 Moderate: Red Hat OpenShift GitOps security update
  • Debian: DSA-5377-1: chromium security update
  • Ubuntu 5966-2: amanda regression
  • RedHat: RHSA-2023-1439:01 Important: openssl security update
  • RedHat: RHSA-2023-1442:01 Important: thunderbird security update
  • March 2023 Web Server Survey
  • Ubuntu 5966-1: amanda vulnerabilities
  • Fedora 37: tar 2023-123778d70d
  • Fedora 37: python-cairosvg 2023-ab86bdbce6
  • Introducing the WordPress Developer Blog
  • Fedora 37: firefox 2023-24b2b22eca
  • WordPress 6.2 Release Candidate 3
  • Ubuntu 5904-2: SoX regression
  • Ubuntu 5965-1: TigerVNC vulnerability
  • Notice of Upgrade to Credit Card Processing System
  • Debian: DSA-5376-1: apache2 security update
  • Ubuntu 5806-3: Ruby vulnerability
  • RedHat: RHSA-2023-1332:01 Important: nss security update
  • RedHat: RHSA-2023-1337:01 Important: firefox security update

Search

Translator

Tags

Apache backup Business and industry code cPanel CVE Debian Debian Linux Distribution - Security Advisories Development Events Fedora Fedora Linux Distribution - Security Advisories Hosting Important Advisory Linux Moderate Advisory Month in WordPress news Parallels Plesk Parallels Plesk Panel Performance PHP Plesk news and announcements Plesk Panel Podcast ProdDevSec Product and technology Products Project Release News Red Hat Red Hat Linux Distribution - Security Advisories Releases security Security Centre sensitive site SSL Tips and easy-reading Ubuntu Ubuntu Linux Distribution - Security Advisories update updates vulnerability Web Server Survey Wordpress

Posts

Helpful Links

  • Liquidweb.com
  • MYSQL Dev Documentation
  • Plugins
  • Source forge SED command
  • Themes
  • WordPress Documentation
  • You Tube
March 2023
M T W T F S S
« Feb    
 12345
6789101112
13141516171819
20212223242526
2728293031  
  • Google
  • Yahoo
  • Liquid Web
  • Storm
  • YouTube

©2000-2023 Ike.ninja | Powered by WordPress with Easel | Subscribe: RSS | Back to Top ↑

50 queries. 8.5 mb Memory usage. 0.410 seconds.