YouTube live TV stream-jacking attacks are on the rise

• YouTube live TV stream-jacking is becoming a big problem. 
• Cybercriminals redirect traffic or end up taking over a channel.
• YouTube has been dealing with the issue but at a heavy price. 

YouTube remains the most popular online video platform on the internet. With over 2.6 billion users, the platform has been operating for almost two decades and has seen significant changes.

The simplicity of managing content on YouTube makes it a popular tool for most users. Owned by Google, the site has seen all types of content produced and broadcast live. Content creators who create content with high viewership can get good returns from their work.

On average, YouTube Creators earn about 55% of the revenue from their channels. For every US$100 an advertiser pays, Google pays US$55 to the creator. As such, the average YouTuber makes about US$0.18 per view or US$18 per 1,000 views. The ten highest-earning YouTubers in 2021 collectively made about US$300 million, up 40% from 2020.

Given the high payments, creators are creating more. But as always, success and high payouts like these also attract unwanted attention While YouTube addresses privacy issues and has security features, it’s a different game when it comes to dealing with scammers. Like on social media, scammers are also a menace on YouTube, often targeting victims with fake products.

Stream-jacking on YouTube

According to a recent report by Bitdefender, there has been a rapid increase in YouTube stream-jacking attacks. The attacks involve either re-directing followers of a popular channel to one run by cybercriminals that closely mimics the real channel or to a cybercriminal who’s taken complete control of the real channel.

Stream-jacking is the process of hacking a YouTube account or channel. Scammers often target popular channels on YouTube and coerce them into sending cryptocurrency. For example, a message to send a small amount of Bitcoin for a 2X return on the investment.

Findings from the report showed that the maximum number of subscribers of a hijacked account observed is nearly 10 million. The top 10 accounts have almost 37 million subscribers. A hijacked account’s maximum number of views is more than 3.6 billion. The top 10 accounts have nearly 10.4 billion views.

Interestingly, most hijacked channels use a variation of the Tesla or official logos belonging to a well-known company. In fact, all top 10 hijacked accounts involve the Tesla brand. The median number of subscribers on a channel is 2,260, while the median number of view counts on a channel is 211,820. The number of distinct channels found was 1,190, and distinct broadcasted live streams were 1,370. There are also examples of hijacked channels that appear to belong to governmental entities.

“Observing such a large-scale operation made us wonder about the channels behind these scams, and upon closer inspection, we noticed that most of the YouTube channels were hijacked or stolen. The bulk of these “malicious” channels have no other content than the livestream scams themselves – it is assumed that all the original videos were either set to private or deleted because they are not discoverable by any means. The channel description also seems to have been edited to resemble the official Tesla channel, and other relevant content, such as playlists, is also presumably deleted.

“The process is very likely automated, as conducting an operation on such a large scale would be time-consuming and could potentially give the actual owner of the channel enough time to spot suspicious behavior,” explained the researchers.

Types of stream-jacking

There are several types of stream-jacking that occur on YouTube. The first is channel impersonation attacks. According to the researchers at Bitdefender, cybercriminals set up YouTube livestream pop-ups in followers’ feeds that generally promote the same content as the real channel. The pop-up livestreams are usually looped re-broadcasts containing an embedded scam via a backlink or QR code to a phishing or fraudulent website. Due to the amount of livestream pop-ups observed, the operation is most likely automated.

The second method is account takeover attacks. A famous YouTube channel owner is sent a fake email to begin account takeover attacks, usually offering a collaboration opportunity or notice of copyright infringement. The channel owner is encouraged to download a malware file from the email. Once the file is opened, the malware steals data from the computer, allowing the attacker to access YouTube accounts, even bypassing extra security measures such as two-factor authentication (2FA). Once accessed, the actual owner is usually locked out.

Elon Musk and brands related to him remain the most famous content in stream-jacking. Examples include A New Era for Tesla’s Model 3 – Live Reveal with Elon Musk! or SpaceX Launch Hughes JUPITER 3 Mission! Elon Musk gives update on Starship. The comment sections of detected malicious live streams are often disabled. Accounts that enable comments only do so for subscribers of 10 or 15 years, preventing users aware of the scam from commenting and alerting others. A standard detail of livestreams is that attackers embed a QR code in portions of the video, leading to a phishing or fraudulent website.

Deepfakes are also enabling more stream-jacking. Again, Elon Musk seems to be the preferred target by cybercriminals for deepfakes, which are also of high quality and might seem genuine to the average viewer. During the analysis, Bitdefender also concluded some live streams are view-boosted at the beginning of the broadcast, making it look more trustworthy. However, as soon as the view-boosting stops, numerous fraudulent livestreams drop to only one or two viewers.

Bitdefender also pointed out that if YouTube detects malicious activity, the channels are deleted altogether. While this is secure practise, it also means that the legitimate owner of the channel will lose videos, playlists, views, subscribers, monetization, and everything beyond the YouTube channel itself unless YouTube itself becomes involved – sometimes, no easy task.

Be vigilant on YouTube

While most users usually watch YouTube after working hours, those who use the platform for work or during hours could also end up putting their company at risk. As such, Bitdefender has suggested the following tips YouTube users should take note of:

• Scrutinize videos with click-bait titles that encourage investment in crypto or promise hefty returns in Bitcoin investments.
• If it sounds too good to be true, it probably is. Stop and think before clicking on links seen in the description of videos.
• Never scan QR codes seen in videos promoting free crypto giveaways.
• Closely inspect the channel for suspicious activity, such as missing or hidden videos.
• Pay close attention to the comment section in videos or livestreams; it could be a sign of compromise if closed.
• Use a security solution with anti-phishing technology that detects and blocks phishing attempts before they can damage your finances and identity.

Meanwhile, YouTube channel owners should practice good cybersecurity hygiene for their accounts. This includes having strong passwords and enabling additional layers of security. They should also install a security solution to protect against phishing and malicious attacks.

More importantly, channel owners should immediately contact the platform’s support team to report suspicious activity or if they have been logged out of their account. For businesses, companies should periodically review the list of individuals with access to the YouTube channel, ensure that only necessary users have access, and limit permissions based on roles and responsibilities.

Some YouTube channels have third-party apps connected to their accounts. This should be reviewed, and any suspicious apps should be removed. As always, users can consider using digital identity protection services, which monitor the web for any data breaches involving their information.

---

---

---

---