YouTubers are getting Hacked!!

Video Notes:

Become a hacker like John with ITProTV: (30% off FOREVER) *affiliate link

🔥🔥Watch John Hammond’s breakdown:

Hackers are trying to take over YouTube channels. BUT they made a mistake in going after the best hacking youtuber, John Hammond. In this video, John Hammond breaks down the hacking attempt on his channel and how the hackers will try to steal your credentials and take over your YouTube channel.

YouTubers are getting hacked. Hackers are taking over their channels, getting full control to add and delete videos, start live streams, and ultimately delete their channel. It honestly has me worried about my channel because this hack is pretty clever, but the hackers made a mistake. They went after one of the best hackers on YouTube, John Hammond, who while almost falling for the hack himself. 

You know, when you swipe down to see your notifications, it, it looks like real Google 

Caught it and reverse engineered take that hackers. So in this video, we’re gonna break down exactly how hackers are taking control of YouTube channels and what you and your favorite YouTubers can do to keep your channels safe. I don’t have a coffee cup. I’ll be right back. This video is a PSA, a warning to all creators. So please share with all your favorite YouTubers, get your coffee ready, and let’s break this down. Oh, by the way, if you wanna become a hacker like John, check out the sponsor of this video, it pro TV, they have all these cybersecurity and it training. You need to get started on the path to becoming a hacker. So definitely check them out there. What I use, I got a link below and if you use code network, Chuck, you get 30% off forever. Now back to John, almost getting hacked because yeah, even experts in cyber security can fall for hacks. And he almost did. 

Uh, my name’s John Hammond. I’m a, uh, security researcher by day. Uh, and at night when I can squeeze in a little bit of free time, uh, I also create content on YouTube. Awesome. 

And the reason we’re talking today is because someone foolishly tried to hack a hacking YouTubers, YouTube. So walk me through the first moments here. 

Okay. So if it’s all right, I’ll give you a little bit of a backstory. Uh, I gotta be honest. This happened yesterday. Uh, it was Sunday and I was outgoing for brunch with my friends and my phone vibrated, and I got a notification and I dropped down, Hey, you know, scroll to check your notifications. And it was a Google drive. It was a official Google notification that said, uh, YouTube has shared a PDF file with you. I was like, that’s weird. <laugh> uh, and it was a Google account allegedly. And I thought, okay, that would normally kick off and send a natural, uh, Google drive email. It gives you a notification and says, a user has shared a folder or file or anything with you. So I thought, I’ll go check my email before I go and open what this Google drive file might be. 

So when I went to go take a look at my email, I had this in my inbox and item shared with me YouTube copyright report, uh, and it’s from, right? It is a legitimate, Hey, Google drive service, letting me know that the Google account had shared an item with me, a YouTube copyright report. You might be able to notice right off bat. Uh, okay. Email address certainly raises an eyebrow that really loses its credibility right away. But the YouTube copyright report itself was a little, at least intimidating to look at. Uh, this looks pretty official, the YouTube copyright infringement warning. Now, Chuck, I’m sure I don’t have to tell you, uh, as a content creator, a copyright strike is a little terrifying. So 

Yeah, terrifying. 

It adds a little bit more concern. And I think for an innocent unknowing victim, this could certainly be a, uh, a concern and Hey, you wanna read the full report and the document at the link below, if you don’t read the report, you can’t appeal, whatever decision comes from this. So when I opened this thing up, I thought, all right, well, I don’t really want to click this open, full report button for real, but I would like to try and write, click it and copy the link address and get an understanding of where is this thing going and what is it doing 

Now real quick before we jump there? What, what do you think is different, uh, about this fishing attempt versus like normal run of the mill fishing attempts? 

This one caught me off guard because, you know, when you swipe down to see your notifications, it, it looks like real Google. It looks like a Google drive file. Uh, and you just, Hey, at least in the big bold letters, YouTube or Google has shared an item with you, an official file, YouTube copyright report. Uh, that’s not just an email that you get, oh, Hey, here’s a QC. Please click my link. It had a little bit more pizazz to it and certainly was a bit more believable going through legitimate official channels. 

And I, I have to admit, I I’m worried that I might just absentmindedly fall for it because 

I think had I not gone to go double check the email itself had I just simply looked at the file with the Google drive popup. I could very well have taken this more seriously and, and, and fellen for it. Uh, I think doing that extra due diligence, let me go see the legitimate email, uh, that is where I had saw the address, cuz otherwise there were no signs that this was fake. 

All right. So you got the email and you, you, you, you knew by this time that just by the, the weird email that said where it was shared from that it was probably something fishy. Um, and then now you have this link to download the copyright report. 

So had I copied this link? I would’ve seen this URL, uh, HTTPS next get report site, uh, with some random letters and strings here and included a, a get parameter HTTP, uh, get parameter that would have my legitimate email address here. What, where at, and how I received this original email. So, okay. I’m assuming this parameter is included for tracking’s sake. Okay. They want to know that I am a legitimate victim. I am one that could fall for this and now could be added to whatever list that if they do more attacks like these, but I thought let’s go ahead and play with this link on its own. I tried to go access this in a little bit more of a safer sandbox. Uh, you might have seen me work through tails, tails, Linux, one of those amnesia, Hey, only ephemeral operating systems with Linux mm-hmm <affirmative>, uh, and hunk works just as well. And funny enough, using and setting up this virtual machine was exactly the video that I allegedly had a copyright strike on. 

I was about to point that out. That’s pretty funny. 

And then I thought, Hey, let’s slap it in and see if we can go to this website. It redirected me. I don’t know if we were able to catch it just there. Yeah. But the next dot get report that I was at suddenly went to download with a different string and what would’ve been that HGT parameter. Now the gimmick is that this didn’t do anything else. Like if I view the source code, Hey, control you on my keyboard. That’s a blank line. It there’s nothing on the website. And I thought that’s weird. Uh, I don’t know if there are some strange settings or some shenanigans were toward just wasn’t letting anything more happen. Uh, I could check out, Hey, what, what happened from the network perspective? We’ll move into the developer tools. So if I were to take a look at what these requests were doing from the network perspective, when I make the first request to next, that does some shenanigans, you can see my original request response that came through, but ultimately the headers said, cool, you’re good, but it ends up redirecting me over to that. Download get report site with what would’ve been my own email included. Ultimately this doesn’t go any further, but in a different browser, it has different functionality. 

Now, why do you think that is that it’s not working through like your secure icks tour situation? 

Oh, malware strains can do a peculiar thing when they’re waiting to receive a callback or connection, like over HTTP, especially through the browser. Right. Uh, it might be wanting to ensure I’m fooling or deceiving the legitimate victim who who’s probably using a modern web browser, like Chrome or like Firefox or, Hey, you’re scrolling through your Android phone or your iPad, uh, something like tour or a command line utility like curl. Okay. We’ll ignore those requests and not proceed forward with them. It it’s checking your user agent. 

Mm. Very clever. So they’re, they’re trying to hide themselves from people like you <laugh> 

Yep. Can’t have the security researchers come in and ruin all the fun. So I jumped into a different virtual machine at this point, cuz okay. If to wasn’t cutting it for me, I guess I will go through a VPN and I’ll go ahead and try and download or see what came through on that website using the command line to occur. Nothing came through, uh, if I add some verbose, debug information, still really nothing. Uh, but if I were to add a user agent, so if I were to run, curl again, following redirects with attack L going ahead and adding a new user agent, that might be a legitimate Chrome, uh, I would be able to go ahead and actually see the response from this is gonna send me right to that download link. So if we wanted to get real fancy, let’s just trust it. Let’s just see it happen. And that actually ends up speeding me over to now discord when I actually went ahead and, uh, kind of shared some of the information on this, it gave me a, a, a Dropbox link, which you might be able to see in the Twitter thread. So things have changed already. Wow. Even in just the time that we’ve, uh, wanted to record this. And that gave me a new file, copyright, which differs from what I had previously. Um, let’s see if it’s the same file. 

Yeah. Yeah. Let’s do some live and that’s really clever. They put it on discord as a hosted file there. 

So just for our own sanity check, what I had to begin with is this YouTube copyright, which would extract to this copyright report. Uh, and that would give me a hefty file. That was a screenshot file, but still a windows binary executable. Let’s go ahead and go take a look at that new discord. One looks like that was copyright report. There it is. I want to just double check that this is what it says it is, and it is a zip archive. Cool. So let’s play with it. Copyright report, copyright report, doc X screenshot yet again, uh, it may very well have just clobbered. What I had previously. I don’t know. Ooh, one of those has a space in it. The other one doesn’t some detective work here. 

<laugh> this is fun. 

So both of these are just flat windows executables. Let’s check if they are in fact the exact same file just by taking a look at the, the shot 2 56 hash, these are massive files you might have noticed, Hey, that was like a 400 megabytes. And this one looks to be different. So maybe we’ll have to do some due diligence and, and, and poke at this thing. 

Interesting. Interesting. Now, here it is. John actually sent me the malware. Now I’m not gonna open it. I’m too scared, but John does open it. John cracks these puppies open and sees how they work. So if you wanna see that, go watch this video right here. Now, before they get to your video, what was the end result? What are they trying to do? Are they trying to capture and get your YouTube credentials? What, what was the end game? 

So if we had detonated that malware sample, if we let it run in a real environment, uh, what it ends up kicking off is known as a, a malware family called the red line information, Steeler, uh, there’s some cool research and other information out about it online. Uh, but really it tries to harvest credentials. It looks for saved browser sessions, log ons, using them and password bundles that all up and then kicks it off to home base or their HQ. 

It’s pretty crazy. So just go do it, my video’s over. And while you’re there and make sure you subscribe to John cuz he’s awesome. And I’m super thankful that we have people like him who can discover these hacks and help the public to become aware of it and how, how to protect ourselves. And again, if you wanna become someone like him, if you wanna learn the skills you need to get started in it and cyber security, check out the sponsor of our video, it pro TV, seriously. They are what I use to keep up to date on all the latest it trends. And if you’re new or you’re established and you’re just trying to keep up like me, you wanna check them out? They’ve got everything you need from knowing nothing to the coming. Awesome. Like John. So link below use code network. Chuck hit 30% off forever video over done. Don’t click any links. They’re all bad. I’ll get you guys next time.

Check Out Network Chuck's Coffee and MERCH Shop