Safeguards are useful. But if you walk into a trap, you’re screwed.
Crypto scammers regularly pose as public figures on social media. It’s an easy trick; change your name to Joe Rogan, open a sweepstakes or investment opportunity, and walk away with the cash. But if you want to make a killing on crypto scams, you need to hack someone’s account.
If you’re running a low-risk scam, you could hack a local business or some random guy on Facebook. From there, you can cast a wide net and send every friend or mutual link to a scam. Or, you can contact specific people who might be easy victims: “Grandma, please don’t tell my parents, but I got arrested and I need Bitcoin for bail.”
Scammers with a bit of common sense usually target large accounts. The most recent example is the Linus Tech Tips YouTube channel, which was hacked on March 23 (along with other channels owned by Linus Media Group). The hackers changed the Linus Tech Tips account name to “Tesla,” broadcast a live stream of Elon Musk rambling about AI, and directed victims toward a crypto-based “investment opportunity.”
This scam is exposing Google’s somewhat flawed account security protocols. And luckily, it’s alerting people to the fact that YouTube is full of scams. Dozens of channels, both large and small, have been hijacked to run exactly this scam. Linus Tech Tips is just the latest, biggest, most ironic example.
Google bears part of the responsibility for these attacks. As Linus Technology Tips As he points out in his “My Channel Was Deleted Last Night” video, social media platforms like YouTube should require authentication when someone randomly changes their username, deletes a ton of content, or logs in from an unusual location. And, like banking websites, social networks should regularly ask for re-authentication instead of leaving people logged in for several years at a time.
“But what about multi-factor authentication?” Here’s the thing; you don’t need a password to hijack an account. You don’t even need to deal with multi-factor authentication from a victim. All you need is the session token of a device that is currently connected to the target account – this token (it’s actually just a cookie) tells the website “I was here before, don’t worry about me!” Hence the need for a more aggressive reauthorization on social media.
Who kidnapped the Linus Technology Tips The channel used a session token, which made login easy. This session token was recovered from an employee who inadvertently opened a malicious PDF disguised as a sponsorship-related document.
And this is where you should pay attention; Any individual or organization can be the victim of a data breach. The wards are useful, but if you fall into a trap, you’re screwed.
Nobody wants to admit that they are the weakest link. And we often talk about security in an oversimplified way: install this password manager, set up this VPN, and you’re done! Yes, these steps are helpful, but we also need more awareness and education. A recent TrueCaller report claims that 68 million Americans (almost a fifth of all US citizens) fell victim to phishing schemes in 2022, resulting in a loss of $40 billion.
Google can fix some of YouTube’s security issues, but it can’t teach you to question every email or social media post that comes your way. Unfortunately, there is no clear way to teach people about cybersecurity, especially since hacking and phishing methods are constantly morphing and evolving. It seems like the best way to learn about these things is to look at other people’s mistakes, and I suggest you do.