Despite 2FA protection, hackers take over Google accounts
Desperate Gmail and YouTube users are turning to official and unofficial Google support forums after hackers took over their accounts, bypassed two-factor authentication after which locked them. Again and again, the attackers look like a part of a cryptocurrency scam that supposedly gives away Ripple’s XRP to those that respond.
Updates from April thirteenth below. This article was originally published on April twelfth.
Google users turn to support forums as 2FA hackers goal Gmail and YouTube accounts
If you browse the varied support forums for Google products like Gmail and YouTube, including Google’s official forums and people on Reddit, you’ll consistently see desperate people asking for account recovery. These normally involve someone forgetting their password, having their phone stolen, changing phone numbers, and so forth. However, when a pattern emerges where people’s accounts have been hacked despite the fact that they’d 2FA enabled they usually couldn’t get well their accounts, something out of the extraordinary is occurring.
“She modified two-factor authentication… Account recovery doesn’t work and puts me in a loop.”
“The hackers changed the password and phone number and also Two-factor authentication settings have been edited.”
“My account, the 2FA was authenticated, cannot log in, the password field says the password was modified 25 hours ago. The recovery is just not possible since the genius hacker modified the recovery email to the identical and in addition deleted my number.”
Aside from the variety of accounts which have been compromised despite 2FA protection, there appears to be one other common denominator in the shape of the Ripple Labs cryptocurrency – or slightly, scams using XRP.
Ripple Labs Issues XRP Cryptocurrency Scam Warning
Ripple reached out to X to boost awareness concerning the increasing spate of attacks on Gmail and YouTube accounts, that are then used to trap readers and viewers with quite a lot of scams. The commonest of those is a so-called crypto doubling scam, which guarantees to refund double the quantity of XRP that somebody sends to a supposedly real Ripple management account. For example, a number of the compromised YouTube accounts used a deepfake video of Ripple Labs CEO Brad Garlinghouse for authenticity.
In one (n X contribution Published on April 11, Ripple Labs warns that it’ll not ask anyone to send XRP and points concerned readers to advice on the right way to avoid cryptocurrency scams.
How hackers bypass 2FA security
The answer to the query “How do threat actors hack 2FA security?” is that they don’t. They just bypass it entirely. It could be very likely that the users whose Google account has been suspended and whose passwords and 2FA data have been modified to stop them from accessing it again have fallen victim to a so-called session cookie hijack attack. This attack normally starts with a phishing email that results in malware that may intercept the session cookies designed to assist users log in faster, go straight back to where they left off, etc. The problem is that if a malicious actor can pay money for these cookies after a user has successfully logged in, they’ll essentially replay them, bypassing the necessity for a 2FA code. As for the web site, the authentication was already successful, the user is already logged in. Forbes contributor Zak Doffman provided an outline of this attack methodology and a number of the methods used to combat it.
According to Google, users have seven days to get well hacked 2FA accounts
I contacted Google concerning the session cookie hijacking issue, as the corporate acknowledged that it’s a long-standing online account security issue. “There are techniques we use and continually update to detect and block suspicious access that indicates potentially stolen cookies,” a Google spokesperson told me, “and we’re not just innovating like this Device-bound session credentials.”
According to Google, all is just not lost for users whose accounts have already been hacked and whose second factor and recovery aspects have been modified. “Our automated account recovery process allows a user to use their original recovery factors for up to seven days after the change,” the spokesperson says, “provided they set them up before the incident.”
When it involves overall account security, Google recommends ensuring the account is about up for recovery to avoid friction if access is ever needed again for any reason. “For additional protection, we continue to encourage users to use security tools such as passkeys and Google Security Check,” the spokesperson concludes.
Update April thirteenth: It’s not only fraudulent hackers looking to take advantage of one cryptocurrency or one other that YouTube users have to be wary of, especially in the event that they are gamers. Let me elaborate here: YouTube users who’re pirate gamers are probably the most in danger. Proofpoint threat researchers have analyzed quite a few YouTube channels that distribute information-stealing malware targeting the gaming community.
Researchers at Proofpoint Emerging Threats say a spread of information-stealing malware is being distributed through YouTube channels, claiming to be pirated video games or related software cracks. By using video descriptions as bait and promising viewers tips about the right way to download video games without cost, the links ultimately lead the user to web sites that as a substitute deliver a malware payload.
If this all sounds bad enough, be prepared for it to get even worse. “Many of the accounts hosting malicious videos appear to be compromised or otherwise acquired from legitimate users.” said the researchers, and that is not even the worst part. The posts also look like aimed toward a young demographic, with links ostensibly about games popular with children. Something, in line with the researchers, that makes this particular distribution method remarkable.
Quite a few different information-stealing malware have been found to be distributed this manner, including Lumma Stealer, StealC, and Vidar. Additionally, in line with the researchers, there have been “several different clusters of activity that information stealers spread via YouTube.” This signifies that it is just not possible to attribute the campaigns to a particular threat actor or group of cybercriminals. However, the common denominator is the technical methods used, which were considered similar. Aside from the gaming lures, the attackers all used similar antivirus disabling instructions, in addition to a technique of inflating similar file sizes to bypass security measures. What Proofpoint researchers can say of course is that the attackers are consistently targeting YouTube consumers, not corporate users.
More specifically, Proofpoint mentions a compromised YouTube account with 113,000 users and a gray verification checkmark. Almost the entire videos posted by this account were greater than a 12 months old, and all of them used the Thai language within the videos and their descriptions. However, 12 latest English-language videos were also posted inside 24 hours. These contained English descriptions that linked to malicious web sites and were related to video game cracks. The researchers recommend that YouTube users concentrate to “significant time gaps between published videos, content that differs greatly from previously published videos, differences in language,” in addition to malicious links within the descriptions. Unfortunately, for many individuals the latter is simpler said than done.
During the course of their investigation, researchers at Proofpoint Emerging Threats said they reported greater than a couple of dozen accounts that were distributing malware to YouTube users. All reported content has been faraway from YouTube.
