YouTube channel got hacked: how, timeline, and recovery.
Vložit
- čas přidán 30. 01. 2024
- How I accidentally compromised my computer as a result of a social engineering attach, resulting in a session hijack attack on my main CZcams channel, timing of it, analysis, and recovery.
My initial very short video about the hack:
• My main channel got ha... - Jak na to + styl
I'm so glad you got your account back! That was actually pretty quick, too.
It annoys me so much that every time I travel, I have to jump through a bunch of hoops to log into my CZcams account, including verifications on my phone, and email, and sometimes I even have to use a VPN myself just to get into my own account reasonable amount of time. Meanwhile, creators routinely get hacked by some dude out of Russia and Google's system seems to think it's fine. 🙄
Also, I just checked my email, and I have that exact same email about a sponsorship with Black Magic. They really are targeting everyone. Creators have to be constantly vigilant.
Thank you SO much for sharing this experience, so that other creators can learn from this!
I guess the blackmagick thing is a good bait for creators!
It would literally be the easiest thing to check for:
- large account
- password change protocol
- crypto video uploads
- old video removal / hidden.
Happens like that every time. Google, owners and developers of most advanced AI around: *crickets*
Channel name, profile picture AND PASSWORD change all at once shouldn't even be allowed, let alone from a far different IP. Not even a two-step verification prompt? It's like they're not even trying to address the glaring issue.
Linus Tech Tips got taken for awhile, don't feel bad.
@@matthiaswandel My thought was: WHAT THE F is he doing, vacation, more babies, holidays (which I absolutely support ... sorry, like that was my business, just joking!)??? Because I was irritated that all the Playlists went down the drain.
I'm glad you are back, hopefully with not that big of a chaos! Humans fall for scammers. Well ... do not use Microsoft:P (That's a scammer, too!)
So, now do not fall victim to snake-oil. Like all of those wonderful and "honest" tips given here in the comments, hehehe:)
While I personally would like to see a proprietary BM-camera SSD mount (OUT OF WOOD!), I am not that hyped for 8k wood pr0n.
Ich bin mit dem C64 aufgewachsen. So I can live with 320 × 200 Pixels:P
I wish you a smooth data recovery journey, Matthias!:)
Edit: Documenting the Nuke with MICROSOFT Excel shows that you have balls! (or your value as a hobby-comedian, hehehe). And please do not answer this: By the beard of my Granny, what email-client ALLOWS you to RUN executable files (you said .scr, I remember)??? Hehehehe, please forgive me for the schadenfreude, but also the amazement. Welcome Back, new Black Magic customer;)
I work as a cyber security engineer, and one of my pet peeves with Windows is that they have chosen to hide file extensions by default, which makes this exact type of attack much more likely to succeed. Had file extensions been visible on the file name, it's much more likely that you wouldn't have launched that file. Nothing is foolproof, of course, because we're all humans, and we all make mistakes. (This is one of the first settings I change when I start working with files on any system I've not worked on before.)
So true! This is one of the very first parameters that I change on a new computer, mine or otherwise. I don’t get why this is an option to begin with, the mere convenience is absolutely not worth the risk.
And you can repeat this complaint for email clients that just show the sender name and not the email, and especially the the envelope sender.
First thing I do when given a new windoze machine is switch that back on, I abhor not seeing the extensions....
this is the same thing i thought when he mentioned that the file type was a screen saver..
when i switched to a new windows, this stuff annoyed me so i changed it back.. and i do this for every computer i use, even if it is not mine, people either not notice or thank me for it..
I can’t stand not having extensions visible.
1:55 first thing to do on a new windows install is to enable show file extensions
and remove all the crapware it comes with, and I have to figure out how to ignore the stupid onedrive crap, and on and on and on. not looking forward to it.
@@matthiaswandel Chris Titus Tech has a windows crapware cleanup script that may help you with onedrive and such
I don't use windows at home so cant' say for sure just how efficacious it is
@@matthiaswandel I seem to remember the trick to avoid much of the MS login and other stuff, is to install while not connected to a network. I usually buy refurb PCs and the ones I've gotten come with a surprisingly clean windows install
howtogeek usually has nice guides on how to remove bloatware like that from Windows.@@matthiaswandel
@@matthiaswandelall the bloatware is such a pain. i wish things could go back to the windows 3.1 day when you just installed the basic operating system without all the garbage most people don't use. but glad you caught the hack as soon as you did
Matthias: Even after just being hacked, still in the best scientific manner calculates the rate of his videos being taken down in n/min ❤
Shining this much light on this type of scam is immensely useful. Sorry it happened, and thanks for the detailed info.
My favorite part of this video was Matthias whipping out his custom-made wooden selfie stick, haha!
@JeffGeerling Can you help @mattiaswandel find a Linux video editing setup pls? At least figure out how to daily drive Linux and keep Windows VM for video editing or some solution to prevent this happening to him. 😀
1 reply after 6 hours? Jeffery! OK. We can start calling you "One Reply Jeff" and you can join the rest of us in the nose bleed section I don't know who you pssssst off but I don't want to micromanage. I myself got II, "dos". Se pronuncia "dohs", 2, TWO in a 8 hour period. SLAP IT HIGH! Well, at least you seem more 'approachable now' Cheers my temporary new friend. Oh krap!!!! My reply is #2. Foiled again!
@@plusmanikantanr why? Linux isn't the answer to everything.
@@plusmanikantanr Jeff edits on Mac.
And now we are all waiting for episode two in this new series :-)
Oh god that must have been very scary! Good thing you recovered it quick. But I can't imagine the feeling of losing my livelihood !
Pretty sure you're already compromised with the LTT-Worm. Luckily it's no that harmful. It just *drops* all your network packets
@@MrKeschyIs that why I'm connected but have no internet.
I can only read this hearing your voice and inflection
wow mw is famous
"Microsoft Defender didn't find anything"
I feel your pain!
Microsoft Defender is actually well above average, as AV software goes. This was apparently a custom executable, so no AV software would have flagged it as a known virus.
AV software isn't a replacement for not running random executables from sources you didn't even bother to check, just like having a functional immune system doesn't mean you should lick random objects left on your doorstep.
20MB file is probably why
antivirus works on patterns and signatures. if this is new or custom malware that doesn't use common patterns, no scanner will find it until their definitions are updated
I don't think this is a defender issue. They probably encrypted the malware itself and using a custom bootstraps
@@droopy_eyes To clarify, this *type* of scam has been around for a long time. It's unlikely that the executable is identical, and code obfuscation is quite effective. Ideally certain AV software should be able to recognize some of the patterns of obfuscated code, but using VirusTotal on a known-bad file is a great way to see how many AV's *won't* catch something. Not all malicious code is a cryptolocker, it's a bit of a farce that many people think viruses' goal is to slow down their computer. Often the worst pieces of malware are the ones that seem to do nothing, or exactly what they claim to do.
Glad to be a part of such an involved and caring community! You get out what you put in and your supply of care and genuine effort for the videos and research you do is truly inspiring. Here's to many years of not getting hacked again, hopefully!
I’ve seen so many of my favorite CZcamsrs get hacked by this same method. The in depth video and explanation of everything really caught my interest. And props to you for keeping time stamps of everything down to the second during this time. You never fail to entertain us!
As soon as I saw your update that you had control of the channel again, I went in and began rewatching all of your videos, hopefully triggering youtube to recommend them to others. Glad you're back in control!
I'm sorry to hear that you were hacked, but pleased that you were able to get back in relatively quickly and mitigate any future attacks. Thank you also for sharing this, which helps to educate people and fight against these hackers/scammers.
Good to hear that you are back up and running again!
Thank you for sharing your experience. Too many people are too embarrassed to share these details that are so helpful in keeping other people safe. I can't imagine the stress of this whole mess, and I hope you have some time to do something fun and relaxing.
The “Session Cookie Attack” was easily fixed by CZcams. How? Even with the session enabled, if you want to change your CZcams account or delete all videos, you should need MORE than one “active session”. For example, “2-factor authentication” when deleting videos, changing account name, etc.
they added 2fa using the session. I think carrying out this attack and getting around protections is far from straightforward.
looks like youtube is unfortunately not interested in fixing this mess...
It already works like that, changing security settings (even if you're already logged in) requires authentication. But that only happens if you have 2FA enabled of course. It's been like that for a long time I believe.
Changing a password or adding 2fa should always require another password entry and not rely on a session key. Since they had your gmail session key a 2fa with your email would not have helped.
@@matthiaswandel Meanwhile I have two google accounts that are impossible to get into because google required two factor on them (security questions) and of course that was insane. I made them all a bunch of random numbers I have saved on a pen drive. BUT google won't let them ever log in because two factor is required and security questions is a disabled two factor method. Pure geniuses over there.
Glad you’re back & thanks for sharing this experience!
Matthias I am so pleased you managed to resolve this and super impressed how quickly you managed it. Great to stick 2 fingers up to the hackers
Love how you are so candid and detailed in showing all the details, really interesting (and terrible!). Sorry you had to go through this man. That's the one thing that is so wrong with big tech companies, it is almost impossible to get a human to help you. If this happened to a small creator, even with it being so obvious, it almost always means they are completely out of luck (happened to my mother, account is just considered lost now).
So glad you're back up in relatively short time. On the hack itself, I'd suggest using the "Always Show Extensions" option in Windows. Also, quite concerning that Windows Defender didn't return an issue. I'd be curious to see if any other antivirus software would return anything.
I knew someone i followed was hacked but I couldn’t figure out who. I’m glad you got it back so quickly.
Yeah I saw this Ripple thing in my subs and was like… who is this and why did I sub to it?
If you clicked on the channel name, and looked at the URL, it still showed the channel URL as Matthias Wandel. So it was easy to figure out if you knew where to look.
@@bradley3549 Everything's easy to figure out if you know where to look.
Glad you're back! Thank you for sharing such details so we can learn not to fall for this attack. I wish I could give you 2 thumbs up!
Thank you for making such a detailed video on this. Everything you make is excellent.
Some bits to consider: There's a non-zero risk involved with your other PCs now when you used your USB drive between them. Another potential vector is any other devices that were on your network or that you had credentials for saved on the original PC or if anything else on the network is unsecured (I'm thinking raspberry pis or any devices which had remote access or shared folders or the like).
Yeah. I was going to say something about the use of a USB drive to move the video file from the hacked computer to another computer. The hackers could have inserted another malware that could infect the USB and make it a vector for infecting the other computer.
When this happened to Linus Tech Tips, they took no chances and physically destroyed the hard drive and motherboard (BIOS) to make absolutely sure no one could ever be affected by any possible lingering threat on that PC.
@@JanTuts also what I was thinking, with Matthias' frugal nature I doubt he would want to destroy the hard drive and bios if they still work, but I don't know enough about how much information from the original hack could still be on the hardware even through a clean install to know if it would be necessary or not. For sure it would be critical to also change microsoft credentials and add 2FA if possible just to be safe
@@JanTuts Well, they have the resources to be able to throw away computers any time they like. Also, it was content that they could use to make even more money. If I had a job where I could make money from destroying computers, I wouldn't hesitate either.
In reality, the likelihood of the hardware itself being compromised is rather low, and the risk is low enough for the average person that it isn't worth the expense of destroying hardware.
He could perhaps make a backup image of the disk and then let an antivirus program scan the image.
Thanks for documenting your experience, Matthias. This is a good warning for other youtubers.
So glad to hear you got the account back. When I saw your previous video I went to their scam live stream and reported it, hoping I was joining a few thousands doing the same thing.
I'm so glad things worked out. Me and my WW buddies were sharing and talking about your video on the Domini Design tool box hinge right before your channel got hit. We were gutted to think your breakdown was lost haha
So sorry that it happened to you and I'm glad you managed to get back fast enough.
Thank you for sharing these details with us.
Thanks for sharing the gory details. I always learn stuff from your video, and this is no exception. Nice work . . .
Glad you got it back so quickly. I'm going to take some notes here for my own CZcams channel.
Thank you for taking the time to share this with us. That helps people to be on the lookout for this.
first of all, I'm glad you were able to get your channel back. TBH, the email was very convincing & even the files. I'm shocked that Windows defender could detect it. RAR file is so to hide from Windows Defender. Wow, they even added a security key! This video is very useful to learn what not to do - thanks for posting it. I think it's important to be able to contact CZcams asap as you've mentioned via Twitter (X) perhaps as all other means are locked out. And disconnect internet , reset windows with clearing the All the drives (formatting).
Been watching you for some 15+ years. Good job man with the timeline. Sorry this happened to you. Don't click links!
Definitely nice to have a big channel with a lot of people that can help you. People with small channels would not fare so well.
On another note it's critical to always carefully read your emails before taking action on them. The first sentence of the first email was a huge red flag for me.
Coming from a domain to some random California based crane company.... Should probably tell Brian at Crainco that his email is compromised
Yeah "glad to hear that we managed to interest you" is an obvious red flag. I have read/seen that hackers deliberately put slightly dubious language in their communication to make sure that anyone more security savvy / actually paying attention will notice and delete the email, therefore not wasting the hackers time. Anyone who does not notice this is often more gullible/ stressed etc and so more likely to be an easy target. This might be sound harsh, but it is clearly shown here again with that first sentence.
Wow. That must have been crazy. Glad you went into so much detail. I’m not a CZcamsr but just the whole process was eye opening
Dear Matt,
I am so sorry to hear this happened to you! I remember when John Heisz got hacked as well and my heart went out to him as well. I'm happy to hear things are resolved. Hats off to your logical way of thinking in regard to protecting the highest asset first and working your way down! Smart Thinking! ! ! ! !
Best Wishes and Take Care,
Tom
Thank you for outlining the attack. Very interesting.
So glad you got it all sorted back out! Sorry for all ur trouble, long term subscriber that still enjoys your videos!!!
Wow, what an awesome video. Documented everything. You truly are a systematic individual 🎉 glad you got the account back
Geesh! It's never ending with the hackers. They sit there scamming good people all day long. Sorry to hear this but so glad you recovered as most do not.
Watch to the end. its those dammed Russians!
*damned@@matthiaswandel
Probably the Chinese pretending to be the Reds
lol Its like the 50's again duck and cover
@@loucipher67 I guess it's time to break out the old air raid siren.
@@matthiaswandel you could not know it for sure, only in case if you know this hacker personally. Google (or any other service) does not know real device geo-position: it is calculated by the network IP addresses. And there are two big problems: you could mask or set any IP address you would like to have, VPN technically gives you any IP address you would like to have (and as the result - any geo-position). So this hacker may be in any place in the world, even in the next house of you. And you never find it out. How good do you know your neighbors? Just kidding. Usually any attacks are built through the intermediate victim - it is small server or PC, hacked to hide real hacker location and identity. Its owner does not even know about it. And just in case: if my nickname causes a lot of mistrust to you - i am an evil russian after all, you may ask any network or security engineer you trust. In private dialogue
@@loucipher67 Nah, it's the ruzzians. They're desperate for cash, the country is imploding. Not that china isn't, but not anywhere near as fast as ruzkis are.
Hi Matthias, before I sent you an email about this ordeal, I actually reported your channel to youtube with a note about someone hijacking your account and leveraging your subscriber base to push this crypto crap. And advised them to reach out to the original owner. Hope it helped in locking the channel and the aftermath. Good to know things are back to normal. Keep it up.
Pew, glad that worked out rather quick for you and you have all video back! IO was very nervous, seeing the video on the second channel! Also; Thank you very much for creating this time table! Really puts into perspective just how fast these things can go (wrong).
I wonder what the actual goal of these miserable hackers is. Big Channels get flagged for hacked pretty much immediately, so the hackers don't actually have any gain for their efford spend. And small channels may take longer to recover, but - they are small. Less views, less engagement. So what gives?
Low paid Russians trying to get western currecny via crypto scams to pay for their stupid war. Probably didn't make that much $ off this one, but still.
Oh crap! That must have been a whirlwind of emotions that night! Glad you're back Matthias!
As someone who works in IT, session hijacking is the number one way to access someone's session and bypass 2FA, its unfortunately very simple to do. i stopped opening my webmail's on my regular PC as while back, but instead I open a Windows Sandbox session and open my webmail there. This allows me to control what cookies are being retained by the session as well as being able to close the window if anything nefarious was to be downloaded and ran. The only credentials that would be compromised, were the ones i opened in that Sandbox, meaning my attack surface is a darn sight smaller and I would only have to reset those passwords and tokens, and not all my other accounts. Nor would i have think about wiping and reloading my PC, in fear that something might have infected it. Windows Sandbox upon closing would blow away anything that got installed. It's free and baked into Windows 10 onwards.
Important clarification, session hijacking doesn't bypass 2FA. Session hijacking allows the hack to act as if they are the authenticated user until the session expires. During that time they have the same access you do when you login to your account. When they try to change your password, if you had previously enabled 2FA for this action AND google/youtube always apply the 2FA check, they would not be able to bypass 2FA and the account owner will get a confirmation sms which they would obviously reject. The issue is even if you enable 2FA, google for some ridiculous reason don't apply it 100% of the time when changing password/email. That is the issue.
@@ChoiceOfIllusion the lack of reliable 2FA is mental. But the problem is why given your cookies someone can change your password. If hackers do account recovery then phone or recovery email should be required which I won't call 2FA, I call it reasonable 2015+ reset password mechanism.
@@ChoiceOfIllusion Can they see the passwords saved in Chrome browser with session hijacking? Normally you have to enter your Windows session password in order to see or copy them.
@@ChoiceOfIllusion thank you, yes you are correct. Poorly worded on my behalf. If websites made you re-authenticate with 2FA to make account changes, a lot of these attacks would be thwarted.
@@ChoiceOfIllusion : I am out of my depth here, but if they hijack an open session, would they not be able to change the contact number use for 2FA, or would attempting this trigger a 2FA check to the original number first?
samething happened to LTT. CZcams can fix this issue. Automatically issue a 2-factor warning when logging in from an unusual IP address. Changing your account phone number should automatically initiate a 2 factor auth request. These steps would actually save google money as employees wouldn't need to spend time fixing accounts.
I hadn't enabled 2-factor authetication on that account. like I said, that would probably have saved it.
@@matthiaswandel I think what aminorityofone is suggesting is that strange or out-of-character goings on should automatically escalate to 2-factor even on accounts that don't have it turned on. Google do, presumably HAVE the info needed to contact you a second way for verification purposes.
@@SuperDavidEF yeah they probably know your regular gas station and tell you to get your 2FA code from the clerk behind the counter that's on shift.
@@matthiaswandel it wouldn't help unfortunately, youtube really needs to fix this
CZcams can't stop people from opening the door and inviting the attacker in. This attack (as session hijack) bypasses 2-factor.
Glad you got it back, and hopefully there isn't too much residual damage. The fact that even with this video you have an Excel sheet of a bunch of data is hilarious!
One note, it looks like the vanity name of the channel is still set to 'woodgears', so you might need to set that back.
While I don't agree with a lot of the people flaming Google for this, social engineering will always be a problem, they really do need to improve some of the processes around these issues. For one, after the same attack hit LTT, Google claimed they were beefing up the security surrounding session keys, but clearly that isn't the case.
Additionally, the fact that it is basically impossible to get in touch with anyone at Google without having a preexisting YT rep is a problem. I've had my own security issues with Google, and have no way to get any information about them because I can't contact anyone. Everything is just an automated response with redundant and useless information.
Also, the fact that Google disabled my physical security key and replaced it with a prompt on any device logged into the YT app is absurd. That's far better than no 2FA, and almost certainly better than SMS, but no you don't remove my security method.
Glad to see the channel is back again, hopefully everything is fully resolved for you moving forward!
Jesus, what a stressful 6 hours that must have been! I'm so glad you were able to get things up and running again, and I'm sorry these bastards found a way through, it's not like you aren't an intelligent person. It's scary that they always seem to find a way to slip the net.
Best of luck for 2024!
My X account was hacked and suspended. A couple years later, they still refuse to reverse the suspension. Glad you had better luck with CZcams!
yeah, but it's not like you need twitter these days. It's a wretched hive of scum and villainy now.
They did it for your own good.
I think that sharing these events with the level of detail that you have done is what helps the most to avoid in the future and be better prepared... It is a shame that the services and companies are not very efficient in helping the user. Excellent Mathias and thanks for sharing.
Man, Matthias, thanks for sharing all of this... sorry for the headache, but it's very useful, and very kind of you to share all the details.
So... my guess was right, this was a session cookie hijack attack. Seemed like it because I think lots of CZcams account hacks goes through this. I also heard this follow through to go into connected devices and disable it all, because it's what connects your account service side to your PCs via the session cookies. Kinda complicated to understand.
I have half guesses and half questions here... not a specialist, I just read a lot on these things. Not for Matthias specifically, but perhaps people in the know in the comments.
So... afaik, Gmail itself usually does not get hijacked because seems it's a bit more hardened against this kind of attack, not sure if this is true or not. Good thing Matthias setup a separate account for CZcams though, can't imagine the extra headache that it would've been if the main Gmail account went with it. Is that right though? Gmail seems to keep a session in a similar way to CZcams, but perhaps there's something more under there... some verification that Gmail does that CZcams does not.
This is a bit why all these connected accounts makes me nervous... the possibility of being hacked in one service and getting all the rest compromised with it.
Other half guess half question - I think, and I may be wrong, that these session hijack attacks are very specific. It's like, a ready made attack that goes specifically after an CZcams account, and perhaps a few more things, but it doesn't like let the hacker have free roam inside the PC. Could be wrong here, not sure. It's more because of a speed and practical standpoint - the malware goes straight after whatever required files it needs to impersonate the CZcams session.
Anyways, glad that you solved it relatively fast Matthias.
Sad to hear this has happened. It always troubles me that Microsoft Windows default behaviour is to hide file extensions, it would be a massive help in these times when you have no idea what type of file you're opening.
It pretty simply to change that behavior by going into file explorer control panel. Most people who are smart enough to even know what file extensions are/do already have done that. And realistically, most crims are able to use a vuln/exploit on most file extensions so it wouldn't matter that much. These crims were pretty basic, just smart enough to use a spell checker and well written bait.
I think the mention of $6K got Matthias' interest enough that he totally missed it was the old .screensaver exploit known about for 2 decades....
I hope this shows to people who think that they are too smart/savvy to be scammed, that they are also vulnerable.
Matthias is a tech wizard with years of experience, and the scammers still managed to get him.
No, it doesn't. Just read the comments from all the people who "know better"
There's different levels. People less familiar with computers generally might be tricked more easily. But modern OSes are also extremely complicated and humans aren't very good at being meticulous and consistent. But in this case it's just egregious that Windows even still supports running screensavers like this.
@@Furiends I agree, Windows is far from ideal, but my main point is that everyone can be tired, or in a rush, or blind-sighted by a goal, and miss some tell-tale sign. And social engineers are getting smarter, and their schemes become more elaborate.
Everyone is at risk, no matter how smart or savvy. And everyone should assume that everything is a scam by default.
Wow. Sorry you had to go thru this but appreciate that you shared your experience with us all to hopefully prevent us from experiencing the same!
Happy to see that your problems were resolved so quickly and comparatively easily.
And thanks for sharing such a detailed and "straight forward description" as I believe it will help other get a better understanding of how it can happen. And thereb make them at least a bit less at risk due to their own behaviour.
Forewarned it's forearmed
Brgds
Great to see you back Matthias! Is "woodgears" a permanent channel name to distuingish from before the attack if you like, or is it just a temporary measure? (I like both!)
Glad you got it all back.
Use a virtual machine for any odd stuff. In fact use the virtual machine for most email and then use your regular machine for the exception. I’m not familiar with this attack so I can’t say it would have protected you 100%. But at least the infected machine aspect would be really easy to fix without a full system rebuild.
Thanks for sharing.
From my understanding of how this works, a VM wouldn't have stopped it.
@@shawnsg use a linux distribution for your virtual machine guest os. Something easy like Linux Mint. An exe is not worth much on a Linux machine.
@@frederickwood9116 alternatively, just check the emails on a phone.
THANKS FOR THE VID! Not just useful for youtubers getting hacked but any person getting hacked in a phishing manner like this and what they can/should do immediately upon realizing it.
WOW! Thank you for telling us your story - very helpful!
I'm amazed and happy that you got your account back!
Confused how it's 2024 and session cookies don't include at least the general information about the system they are created on and the location data to limit their use to the same system and location. A check box for 'only this IP' would be great too. Makes it a hassle on portable devices having to log in all the time, but having the option would be nice. At the very least, a session token should never be enough to change passwords or recovery emails... there's no excuse to not have to enter your credentials before making changes like that.
I think they played an elaborate game of creating lots of sessions and such to get around any algorithm that would detect this.
@@matthiaswandel Yeah. I get how they do it, I just don't see why a huge platform like youtube doesn't have safeguards in place to prevent session hijacks. For someone with no budget, just playing with making websites for the learning experience, it is pretty easy to make sure a session is tied to a an IP, or a general location, and/or a system with the basic specs. For a company with money, or knowledgeable people, you can tie it to exact specs of a single device with various scrips.
I'm just confused that with as often as the session hijack seems to happen, CZcams hasn't at the least, added a check box to allow people that want it to require a full log in or two-factor authentication before major channel settings or methods of access to the account can be changed.
@@johngaltline9933 Probably so you can take the computer with you on travels, or get a new IP from the ISP without getting logged out?
In my experience, you do not get logged out from google unless you clear cookies or delete the session from the google page.
Moving a laptop between networks clearly do not log you out. (with 2 factor e.t.c.)
Chrome may have some creative solutions there, but I do not know for sure.
@@johngaltline9933 Tying sessions to IP is not feasible in the modern world full of VPNs, laptops, mobile phones and WiFi hotspots. And if the attacker manages to execute something on the target computer they already have full access to all the hardware details which makes them trivial to spoof. 2FA is pretty much the only thing that works when the user's hardware is compromised.
In the realm of IPv4, not every device has a fixed IP, so, every time a device gets a new IP, the cookies are rendered invalid. Bad side effects. Some devices have GPS, some don't. Requiring geo location data during session cookies creation is a non-starter. How about MAC address of the device? That might work in some cases; in others, it may not. Reason being that some network device/software/driver actually swaps the real one with a dynamically generated one. And the generated one can change at anytime. Same issues as IP.
That preview pic is amazing 😂
I'm so glad you were able to recover your channel in such a short time, I was not one of those lucky people.
It could have been me , again... I switched to Resolve 2 months ago and I LOVE it I'm still using the free version I'm going to buy the paid version only for small improvements, so again I would have been compromise in my brand new PC.... I'm so glad it ended like this
So glad you got your account back. Thank you for giving such a detailed breakdown of how recovery works.
Is there any good reason why they want you to be logged in to report being hacked? Seems like the most ludicrous and bizarre requirement, it just baffles me. It's the equivalent of reporting your car stolen and the police asking you to drive it down to the station so they can take a photo of it.
Since I had unsub'd ripple I now get to subscribe, re-watch and like all the old woodgears videos.
yes, hoping some of those 5k subs that left will see this and re-sub.
@@matthiaswandelI was one of them! Resubbed already.
Gut das alles überstanden ist. Die neue SSD ist sicher nicht verkehrt. Pass auf dich auf Matthias :)
I didn't unsub, but was "unsubbed" somehow anyways. Can you tell who left because of the new content and who got removed? @@matthiaswandel
Ugh! So sorry you had to go through this. Stuff of nightmares. So glad you got your channel back; and they didn't delete your content.
Fascinating. Thank you for showing us all how to handle such a cyber attack!!
2:15 Also, the unpacked contents of a rar file will not be marked as potentially unsafe like contents of zip files. So you don’t get an additional warning when starting the malicious executable.
@@droopy_eyes - RAR is no more "ancient" than plain ZIP, which is still by far the most common format. 7Z and RAR4 are indeed better (especially after you tweak a couple of compression parameters), but with internet speeds having increased so much, most people don't care about size, so they stick to the older ZIP format for compatibility.
What really surprised me was that he didn't have file extensions visible. That would have made it immediately obvious it was in a dodgy file format (SCR).
@@droopy_eyes You don't know the corporate world. It's a blood sport to make as much official communication as possible look indistinguishable from scams.
There is nothing wrong with winrar. It's just a more efficient compressor than zip. Hackers use it because it's better than zip. Just Like hackers use computers cause they are better than calculators.
It is so sad that companies resort to social media to communicate with their customers when there are still a lot of people that do not use social media.
what else should they use? email is to susceptible to spam that way.
@@matthiaswandel they could host a webpage with a form you can actually use. But I guess that's asking a bit much of a tech company only worth 1.766 trillion dollars.
I'm sorry that happened to you! And I'm glad you were able to recover your account!
Thank you for making this video. It's hard to tell others about your mistakes, but it's extremely valuable.
Glad you got it back!!
For how often this happens to big youtubers, the process for recovery on Google’s end really demonstrates how little they care about their creators.
Sorry this happened to you. Glad you got it back so fast. Thank you for sharing this information, it will help a lot of people prevent this from happening to them.
Whew, that is a detailed saga. Thanks for making this.
An encrypted RAR also means all the Antivirus measures in the chain of mailservers can't scan it including your own PC's AV until you unRAR. Although it seems Defender didn't pick it up at that point here.
Think of it like airport security.
If someone wants to do bad things to the plumbing of an airport, you want to catch them when they are trying to go through the passenger security line wearing a plumbing uniform and carrying a bunch of tools. That is where they will stand out.
Once they are on the other side of security, a plumber wearing a uniform and wheeling around a cart with pluming tools between every bathroom is pretty normal.
Hiding an executable in an email is the important part, because emails almost never have executables attached. That is the red flag.
Once it is on your computer, the executable doesn't really have to do "bad" stuff to accomplish it's goal. There isn't much to scan for.
You would think that Google should recognize a session being reused from a different location. Logging out that sesssion would be enough. I'm probably missing something.
Good to see you're up and running (but the channel name is now simply woodgears)
What you're "missing" is that Google don't really care. They could certainly fix it if they wanted to.
givem all the stuff the hackers did, I'm prettu sure much of it was to fool google's algorithms into complacency. Like I explained.
@@matthiaswandel yes sorry you did, but those looked like new logons from different locations to mess with the AI systems, not the original session.
Again glad to have you back
When I was phised on Steam they used a VPN to get a UK login, which I stupidly accepted on Steam Guard's 2FA because it didn't say "RUSSIA".
Well done, Matthias - you look pretty calm about it all. I was so frazzled when it happened to us!
Oh, so this is the channel... I got notification from some weird channel, that it is live, but I could not figured where I got it... I'm glad you managed to get your channel back.
Session hijacking bypasses MFA, since the session cookie they're stealing is from an already authenticated session.
Meaning they don't have to log in, and MFA wouldn't have stopped this.
thats what hapened to linus tech tips.
But .. They wouldn't be able to change the password with MFA. So once figured out whats happening, I could have changed the password, which would have killed all the other sessions.
@@matthiaswandelsince they where already logged in on the hijacked session, they can simply turn of 2FA, and then change the password
@@matthiaswandel Not with the current solution you couldn't.
Your first sign of a problem would be the changed email, which doesn't currently require MFA.
The new email is their second factor, so you end up with the same problem.
We are back to requiring MFA on all account changes. Which should be a thing on EVERY account with more than like 10k subs.[1]
Hell, the session keys should be based on geographic locations anyway.
Restricting the keys to a machine hash could cause a ton of problems. But restricting a session established from a specific local ISP from suddenly reconnecting from another continent should be a no-brainer and trivial to implement, even if it would still allow attackers to bypass it with local proxies. At least it would provide another speed bump.
[1] Remember that these accounts are being used to run scams. It isn't JUST about the account holder getting screwed when they lose access to their channel. This is also a public safety issue. Monetization doesn't matter. Audience exposure does. Channels over a certain threshold are a public threat, since they are the targets for scam use.
@@earld1403 in theory, when you log out, your session token should be deemed invalid. Which should in turn make it so your session can't be hijacked.
But this also depends on how well the application was coded. Some applications might not invalidate session tokens when a logout occurs, this would be a security vulnerability.
@@earld1403 You can simply start a new private/incognito window and close it when done. Nothing is saved unless you download something.
Still embarrassing that the fastest way to Google support is by going though friggin Twitter. You'd think they would have improved this process after some big channels (like LinusTechTips) went though the exact same adventure some time ago.
I do wonder if they are as as fast and responsive for people with tiny channels.
Going for a walk. Love it. Well done for staying calm under fire, great to see the channel back. Glad this video popped up so I could resubscribe.
Thanks for making this vid and showing how it happened, it's extremely useful information. Also very glad you were able to recover your account.
My mother always told me to avoid black magic.
Hehehe
6 hours to recover is, honestly, blindingly fast.
This is the shortest I've EVER heard of.
Even LTT, who apparently have a POC at CZcams that they called within minutes, took more than 12 hours.
I’m in CyberSecurity and I have to say, it was pretty bad that you clicked on it driven by excitement but INCREDIBLY well done by pulling the plug as soon as you realized something was fishy. Big fan of your videos as they are all very informative. Great job of the timeline for an after action report and even better that you shared it for others to learn. Keep up the wonderful work and remember, if it’s too good to be true, it’s likely false.
Since windows security didn't pick it up. Do you know what kind of anti virus that is good at detecting these hacks? I receive many WinRAR files as part of my work. I am relying on the built-in window 10 security system to protect my PC. But in this case Mathias wasn't able to detect it using Windows security
@@alianbaba9330 Most people with a modicum of experience would have a seperate A/V running, or like me, would have uploaded the file to something like virustotal which will scan with ~20 different brand name scanners. This was beyond embarrassing.
@@alianbaba9330 Consider that unlike an exploit this is a payload the user runs. (which is insane Windows allows this). Given what the payload does it would be antithetical for antivirus to block is because then what's the point of programs on your computer? Imagine something like:
Reads files on your computer
Loads web page
Use webpage text for path of file to upload
Where is the malicious code here? You wouldn't be able to run an email client. Now on Android there is at least per app security context.
Shouldn't he be worried about other devices on his network? Is he really "done" with this issue by simply unplugging the PC?
@@alianbaba9330
NOD32, Sophos, etc there are quite a lot of real-time detection anti-virus/anti-malware software out there to choose from that have relatively low resource impact on your machine. These two aren't free but there are some that are.
This is more scary proof that scams can happen to anyone. You don't get to feel that your tech savviness will prevent you from being a victim. I am definitely above average on my understanding of computers, but am no where near as knowledgeable as Matias. So glad to hear you got back up so quickly!
Wow! Quite the ordeal! Thank you for producing this video, so many people I think make the mistake of opening attachments. But this really opens one's eyes to the consequences. As to the infected PC, I suppose a three-time-overwrite of the HD would sanitize it before re-installing Windows so you'll have a useable machine again...
Wood Gears!!! 💕
I'll never understand why Windows users choose to hide file extensions. That's one of the first things I change after a fresh Windows install.
Me too, been doing that for nearly three decades now.
Glad you got this resolved promptly. Keep up with the content, you have a great channel.
You are a very clever man Matthais and it's a good job that you are, I think you did an amazing job recovering from such a horrid attack. It could have been much worse as well had you not been on the ball.
Btw, please don't let this put you off switching to Davinci Resolve lol. I was a premiere and after effects user for years but I switched to DR 5 years ago and have zero regrets. I got the studio version free with a pocket 4k cinema camera and have not had to pay a single penny and enjoy getting full updates year by year for free. Take care, Paul
its a steep learning curve. I did give it another stab beforeI realized the sponsorship thing is a scam. Main problem is, Sony Vegas suffices for the editing I do, and its simple to use.
I knew you were going to say 2FA wasn't enabled. Please everyone take that as a sign to enable 2FA for every account you have that supports it.
Good on you for sharing the details of everything.
If there’s a faster easier way, Matthias will master it, including getting his account back.
And he'll do it with some scrap wood from the roadside....
Great you're back up and running, it's an easy mistake to make! And well done being so honest about your mistake, it takes a great strength of character to be able to do that.
Mathias always has such mesmerizing content
I'm glad you get your account back! For many years your work inspires me.
I live in Russia, and I have to say that villain is villain here too. Thief's thief. No alternative, no "looter" - they all are robbers and criminals.
Then, my security setup - and of everybody I know - includes email service with antivirus (not gmail), dedicated paid antivirus solution on every device, show extensions enabled.
at least you had an air-gapped second CZcams account
wasn't air gapped. Just that the hacker grabbed all the sessions off my main browser, not realizing I use two.
Wow, good to have you back. After watching your video the name black magic was sound familiar... 😮 so I searched my email and found similar email which I ignored in last july 2023... 😶
I'm so happy you got it back! Thank you for being you