Desperate Gmail and YouTube users are turning to official and unofficial Google support forums after hackers took over their accounts, bypassed two-factor authentication security, and locked them out. Many times, attackers have been seen engaging in crypto fraud by distributing Ripple’s XRP to responders.
Updates for 04/13 are as follows. This article was originally published on April 12th.
Google users take to support forums as 2FA hackers target Gmail and YouTube accounts
If you take a quick look at the various support forums for Google products like Gmail and YouTube (including Google’s own official forums and Reddit’s), you’ll always find people desperately asking questions about account recovery. These are usually related to someone forgetting their password, having their phone stolen, or changing their phone number. However, if you see a pattern emerge of your account being hacked and not being able to recover your account despite having 2FA enabled, you know something is wrong.
“They are Changed two-factor authentication…Account recovery doesn’t work and I’m stuck in a loop. ”
“Hackers change passwords and phone numbers, Edited two-factor authentication settings”
“My account, 2FA authenticated,I can not log in. The password box says Password was changed 25 hours ago. Some genius hacker changed the recovery email address to the same email address and also deleted my number, so I can’t recover it. ”
Apart from the number of accounts that were compromised despite having 2FA protection in place, there appears to be another commonality in the form of scams leveraging Ripple Labs’ cryptocurrency, namely XRP.
Ripple Labs issues XRP cryptocurrency scam alert
Ripple went to X to spread awareness that attacks on Gmail and YouTube accounts are on the rise and are being used to trap readers and viewers with various scams. The most common of these is known as the crypto doubling scam, which promises to refund him twice the XRP she sent to an account masquerading as a genuine Ripple management account. For example, some of the compromised YouTube accounts used deepfake-generated videos of his CEO at Ripple Labs, Brad Garlinghouse, to ensure their authenticity.
in × Post The article, published on April 11, warns that Ripple Labs will never ask anyone to send XRP and points out that concerned readers are advised on how to avoid crypto scams. ing.
How hackers bypass 2FA security
The answer to the question, “How do threat actors hack 2FA security?” I mean they’re not. They just bypass it completely. A user who has been locked out of his Google account and has had his password and his 2FA details changed in a way that prevents him from logging back in is most likely to have fallen victim to a so-called session cookie hijacking attack. This attack most often begins with a phishing email that leads to malware that can capture session cookies designed to help users log in faster or jump right back to where they left off. The problem is that if a malicious attacker were able to get hold of these her cookies after the user successfully logs in, they could basically play them and bypass the need for her 2FA code. As far as this site is concerned, authentication has already been successful and the user is already logged in. Forbes contributor Zak Doffman provides an overview of this attack technique and some of the techniques used to counter it.
Google says users will have 7 days to recover hacked 2FA accounts
When we contacted Google about the session cookie hijacking issue, they acknowledged that it’s a long-standing problem for account security on the Internet. A Google spokesperson said, “We have technology that we use and continually update to detect and block suspicious access that may indicate that cookies have been stolen.” Session credentials bound to the device”
Google says all is not lost for users whose accounts have already been hacked and whose secondary or recovery factors have been changed. “Our automated account recovery process allows users to use their original recovery factors for up to seven days after the change, as long as they were set up before the incident occurred,” the spokesperson said. Masu.
Regarding general account security hygiene, Google recommends making sure your account is set up for recovery so that there are fewer problems if you need to regain access for any reason. . “For added protection, we continue to encourage users to utilize security tools such as Passkey and Google’s Security Checkup,” the spokesperson concluded.
Updated 04/13: YouTube users, especially gamers, need to be wary of more than just fraudulent hackers trying to take advantage of certain cryptocurrencies. In fact, let’s focus a little more here. YouTube users who are pirated gamers are most at risk. Threat researchers at Proofpoint analyzed numerous YouTube channels that distribute information-stealing malware and target the gamer community.
Proofpoint Emerging Threats researchers say a variety of information-stealing malware disguised as pirated video games and related software cracks is being spread via YouTube channels. Using the video description as bait and promising the viewer tips on how to download video games for free, the link actually directs the user to a site that delivers the malware his payload.
If you think this is already bad enough, prepare for things to get even worse. “Many of the accounts hosting malicious videos appear to have been compromised from legitimate users.” the researchers said, and that’s still not the worst part. These posts appear to be targeted at a younger audience, with some links claiming to be about games popular with children. Researchers said this makes this particular distribution methodology noteworthy.
A variety of information-stealing malware, including Lumma Stealer, StealC, and Vidar, have been found to be distributed in this manner. According to the researchers, there were also “multiple distinct activity clusters distributing information thieves via YouTube.” This means it is not possible to attribute a campaign to a specific threat actor or cybercriminal group. However, the common denominator is the technical methods used, which appear to be similar. In addition to the lure of games, the attackers also used similar instructions to disable antivirus features and similar methods to increase the size of files to bypass security protections. What Proofpoint researchers can say with certainty is that attackers are persistently targeting YouTube consumers, not corporate users.
Specifically, Proofpoint cited one YouTube account with 113,000 users and a gray verification checkmark as having been compromised. Almost all of his videos posted by this account were over a year old, and the videos and their descriptions were all in Thai. However, within 24 hours he posted 12 new English videos. These had English descriptions linking to malicious sites and were related to cracking video games. Researchers told YouTube users to look for “significant time gaps between posted videos, content that differs significantly from previously published videos, language differences,” and malicious links in descriptions. We recommend that you do so. Unfortunately, the latter is easier said than done for many people.
Proofpoint Emerging Threats researchers said that during the course of their investigation, they reported more than a dozen accounts distributing malware to YouTube users. All reported content has been removed by YouTube.
follow me twitter or linkedin. check out my Website or my other works here.
