Stolen accounts are a popular commodity in the web’s shadiest forums. For pennies on the dollar, cybercriminals can easily purchase accounts to use as they see fit — and that trend doesn’t appear to be slowing down any time soon.
How is this happening? As it turns out, it’s all thanks to the massive spike in phishing attacks that trick internet users into handing over their login credentials. And during the COVID-19 pandemic, the problem has only gotten worse. Tap or click here to see some of the ways hackers are tricking people.
But now, hackers are turning their attention to a different and more valuable type of account: YouTube. Across the Dark Web, posters on hacker forums are selling ready-to-use accounts that come pre-loaded with followers to monetize — and if you’re not careful, your account could become one of them. Here’s what you can do to keep your account locked down.
Researchers discover a shocking twist on accounts for sale
According to security researchers at Intsights, YouTube accounts are becoming a primary target for hackers and cybercriminals looking to monetize their dirty work. Most YouTube users are not in the crosshairs, but if you happen to have several hundred or several thousand subscribers, your username and password could be in danger.
Intsights researchers found a rapidly growing demand for compromised YouTube accounts on several of the biggest Dark Web forums. Most of these accounts appear to have been pilfered through phishing attacks, and compared to accounts on other platforms, the prices for YouTube accounts can fetch up to thousands of dollars.
Prices will typically vary depending on a few factors: How many subscribers the account has and whether or not the account is monetized. This means that the YouTuber in question is able to receive revenue from the ads that play during videos.
Of the 31 million content creators on YouTube, only about 16,000 have a million followers or more. The more followers an account has, the more money the YouTuber can make from their content.
As a result, cybercriminals purchasing these accounts are skipping the most critical steps to building a successful career on YouTube. Rather than earn their subscribers over time, they’re gaining a head start that allows them to immediately make money off their followers — whether the followers know it or not.
Once an account is claimed by a buyer, they’re typically put to work in one of two ways:
- The hacker uses the account to spread further phishing links that trick other YouTubers (like the built-in subscribers) into handing over their own accounts.
- Contacting the true account owner via email to demand a ransom.
Unless this issue gets under control, hackers stand a chance to become quite a bit wealthier at the expensive ordinary YouTube users.
Am I at risk? What can I do to protect myself?
The fact that YouTube accounts are up for sale on the Dark Web is dangerous for all the reasons listed above, but there is a primary issue that may go unnoticed by some (but not the hackers, of course): YouTube accounts are Google Accounts.
Google Accounts, as you may know, are the gateway to your personalized Google experience. This means if a hacker gets access to your YouTube account, they’ll also know your search history, what you’ve been watching, and all the emails you’ve sent and received in Gmail. Tap or click here to see how you can delete what Google knows about you.
This means that protecting your account is imperative to protecting your privacy. Right now, phishing is still the primary vector of attack, so the typical methods of avoiding unknown emails and attachments are still solid ways to stay safe. But even without opening a phishing message, malware or hostile websites can still compromise your account.
What can you do, then? Well, that’s where two-factor authentication comes in. Setting this service up will require anyone logging in to type in a code that’s sent to your smartphone. Without your smartphone physically in front of them, a hacker can only go so far.
To set up 2FA, Google has a specific page here that you can visit to activate the service. To begin, open the link, sign in with your Google account and tap Get Started. You might be asked to sign in again after this step. Then, add your country from the dropdown menu and enter your phone number in the field that appears.
From here, you’ll be able to choose whether you want a verification text or phone call. Tap or click Next, and you’ll have your authentication sent to your phone. Enter the code you receive and tap Next. Once Google has verified your code, tap Turn On to enable the service on your account.
Once 2FA is enabled, all of your Google services will be protected by it. That includes your YouTube account, Gmail, search history and Google Assistant. It’s a great way to stay one step ahead of hackers.
But once again, if you’re not a YouTuber with millions of subscribers, you probably won’t need to worry about getting compromised. But if you are “YouTube famous” and a hacker cares enough to keep trying, 2FA might not even go far enough.
That’s right, hackers have devised a type of malware called Modlishka that can redirect 2FA messages to a different destination. It takes a lot of work to set up, but if the financial incentive is great enough, hackers will keep on trying. And that’s not even counting SIM Swapping, another tactic favored by smartphone hijackers to steal 2FA texts.