The news recently broke: youtubers with the largest number of followers are being targeted for extortion. The attacks are on the rise and the techniques are not new, but for some time now, these attacks have been detected and continue to increase. In fact, since a little more than a year ago, when this story occurred.
The beginning of the attack
This youtuber has more than 700,000 subscribers and is well known in the sector. His daily business is dealing with suppliers, manufacturers, advertisers… who send him emails with attached documents. He knows perfectly well not to click on links to unknown domains or downloads, he uses antivirus to check office documents and PDFs, and he does not trust those who come in through the cold door. He uses two-factor authentication on all his accounts and… a friend to call in case of emergency.
One day he received an email from a supplier with whom he had been exchanging emails for several days. He didn’t know him, but the relationship had been established. He was actually the attacker, and he had bothered to talk to our youtuber, propose the business and wait for the right moment (several days) to send him a supposed video. The file weighed 65 megabytes, so he sent the youtuber a link to Dropbox, which he downloaded to his computer.
Still, he didn’t trust it. He looked at the extension, he knows he shouldn’t launch executables. The extension was SCR. The attacker didn’t bother to use a double extension, but he might as well have. Still, our youtuber did configure Windows to display the most popular extensions. The file icon represented a video.
What is SCR? he asked himself. He googled and found that it was something to do with screensavers. It might make sense, being a video, he thought. Then he right clicked on it with the intention of scanning it with his antivirus. Nothing, he didn’t detect it. He saw something curious. “Test” in bold, could he test the file before launching it? It made sense to him, he concluded that it would be a good security measure to “test” this SCR before running it. Besides, he doesn’t work with the administrator account and it had already been scanned by the antivirus, which made him feel safer. So, he ran it as a “test”. What he didn’t know is that he was running it.
SCRs are executable extensions in every sense. Screensavers (and this is a little-known thing) have the possibility to run as “test” and can be tested on any Windows. But there is really little to test… launching an SCR in “test” is the same as executing, and therefore the whole malware payload is launched in exactly the same way. The video icon is trivial to insert into the file and the 65-megabyte weight is artificial, pure filler, to enhance the impression that it is a video. The youtuber was already infected.
The suspicion and the call
The alleged video did nothing, it would not run. And this alerted our youtuber. Something was going on, as the system CPU was reaching 100% at times. He looked at the screen, trying to kill some process, but he wasn’t sure what the malware was or what it was doing. After a few minutes he decided to shut down the computer and call me personally.
He told me what had happened, the alleged video, the precautions… I told him to immediately change all the passwords, while we were talking, to do it from a different mobile or tablet and to protect his channel. But I have two-factor, he said. I told him that it didn’t matter, that they could have stolen his session with cookies. That the SCR could have actually sent the attacker all the tokens of the open sessions in the browser and, if he (the attacker) was attentive at the time, he could get access to his accounts. In fact, he told me that the attacker specifically asked him to tell him when he would more or less watch the video as he was in a hurry. I asked him if he stored any passwords in his browser and he said no, thank goodness.
While I was warning him about this, he tried to change some passwords. He had trouble remembering all the identities he used online, he didn’t have a step-by-step emergency procedure, and now he was regretting it.
But in the middle of the call… he got cut off. I stopped hearing him. I tried to call him but there was no way, the phone wasn’t on. It was as if he had suddenly switched everything off completely. Although it was strange, I thought his battery had run out and he couldn’t charge it at that moment. After about 15 minutes he called me back. This time he was really scared.
He told me that, while he was talking, the phone had rebooted and started reformatting while in his hands. It was an Android. He felt he was being watched, he was really panicking. Do you use the “Find my device” service? I asked him. Yes, of course, he replied. It was clear that the attacker had accessed the Gmail account associated with the phone and requested a remote format of the Android. Is that the same account you use for YouTube? No,” he said. That account is just for the phone! Well done. It was just one of the accounts he hadn’t changed the password and logged out of. The only one the attacker had been able to access and was now desperately trying to inflict maximum damage.
I asked for reassurance. He had a bootable USB stick with a Linux distribution, so I guided him through running an antivirus, deleting the malicious file (which was gone) and potential aftermath, recovering some documents, and so on. He had no faith, so finally after recovering his data, he decided to format his Windows.
We went through, once again, all his accounts and, on a completely new system, he finished changing and tidying up his passwords. I didn’t recommend formatting the Android because the attacker had already done it.
Our YouTuber did a lot of things right:
- He had two-factor authentication.
- He trusted no one. He questioned files and submissions.
- He did not store passwords in the browser, and segmented accounts (one for the phone, one for the channel…).
- He had other systems from which to operate in case of emergency. Such as a USB key or tablets.
- He shut down the computer as soon as he suspected an attack.
What he did wrong:
- He did not probe further into the nature of an SCR, which is an executable. Still, the context menu “test” did not help to make a decision.
- He did not have a list of accounts to change passwords in case of emergency.
And yet, he was lucky. The quick password change was effective. It kept him from getting into his channel or his email. The one account he forgot, the one associated with his Android phone, suffered the attacker’s wrath. It seems that he was very specifically looking to get into the channel and so getting to the phone did not provide him with a bounty to match.
The clearest conclusions could be:
- Awareness-raising is not enough. Or, in other words, complete awareness is not enough, depending on how you look at it.
- At any time, all our digital identities or files can be compromised. Apart from backup, there is a need for a clear protocol to run from another system. It can be as simple as a list in a TXT and a series of URLs to change passwords to, but it is desirable that it exists, along with a clean boot system for a computer, if necessary..