How YouTube channels get Hacked (Fake Ripple, Tesla, etc)
Vložit
- čas přidán 13. 06. 2024
- In this video I test a particularly concerning Lumma Stealer variant.
Official Discord Server - / discord
Follow me on X - / atericparker
Disclaimer: The content in this video is for education and entertainment purposes to showcase the dangers of malware & malicious software. I do not encourage any form of illegal hacking, nor do I encourage the usage of game cheats, cracks or hacks.
Cracks are sometimes shown to highlight the dangers of software piracy, my content is not intended to teach anybody how to pirate, or maliciously hack.
More Malware Investigation Videos:
→ The latest "NORD" Malware - Nordsecured: • The latest 'NORD' Malw...
→🧧VIRUS WARNING🧧 NEW Optifine for Minecraft 1.16 SCAM: • 🧧VIRUS WARNING🧧 NEW Op...
→ The wilkreate CZcams stealer virus that started this whole trend: • Fake sponsor DESTROYS ...
(C) Eric Parker 2024 - Věda a technologie
Since the other video probably wont be back until Monday, here's a bonus.
pc
oh bloody hell. i could have watched it but decided to put it off. its all on me
I was watching the setup one then I watched something else came back and it was gone lol
Nice. Hoping to see the other one too cause of the claim at the beginning that it's the wildest malware ever reviewed on this channel. Just wondering what it did.
Great bonus. Thanks !
They sent a malware to a channel that analyses malwares, genious idea
yeah, that just shows how dumb scammers are XD
but maybe this malware was redirected by a viewer?
yeah but what an own it'd be on the off chance they actually manage to infect the owner of a channel that analyses malware!
@@redlionstudio2750
Scammers aren't dumb - but they always go for the dumbest targets.
Remember those Nigerian Prince emails with terrible english? Those who respond to them prove that they have no knowledge about the scam or are dumb enough to believe anything, so those same people don't know that they're about to be scammed.
That means those kinds of people won't report the scam, which will allow it to keep going for longer. Nigerian Prince scams have been estimated to have stolen more than a hundred million dollars over the past few decades, which means they've filtered their targets enough to keep milking them to this day.
The only dumb people here are those who think that scammers are dumb. Always be on your toes.
When the ruble is in rubble, they can get pretty desperate I guess lol
Yeah. And of course send it to someone who knows how to bypass Cloudflare's proxy, and therefore knows how to get to the real C2 server's IP address, and the best thing that person does is to send that IP address to their friends to have a little fun :D
getting linus tech tips flashbacks
Hard R moment
Nice!
Ah yes, the classic "hide extensions of known file types" attack. Microsoft is the worst for inventing that "feature".
I guess technically it's probably smarter not to put the fake pdf if people are not accustomed to seeing file extensions.
My thoughts exactly. File extensions should be enabled by default, they’re not hurting anyone.
Microsoft did it in an attempt to prevent people from accidentally changing the file type by renaming the extension (which by design is fairly wrong in so many occasions, because file type should NOT be determined solely by its extension). Renaming a file to a different extension might cause it to break compatibility, so Microsoft by default hides extensions to prevent dumb users to rename program files for example (causing them to no longer work).
It is dumb, not gonna lie. First of all, Microsoft assuming users are dumb they don't understand extensions, that's insulting. Second of all, it's a bad design. Unix-like OS doesn't determine the file type by its extension, rather does it through file header. If that file header might correspond to many file formats (example being text files, which do not actually have a header), then the file format might be determined by the file name extension (for example: C source code files). If Windows adopted this behaviour from Unix, then it would be so nice, and there would not be many issues with renaming a file extension. Fun fact: In Unix-like OS, the file doesn't even need an extension, it can be simply just "file" with no extension, and it will still function according to its file type that's associated with the header inside. As an example, many log files might be extension-less, C++ source code header files are sometimes files without an extension (remember writing "#include " in your C++ program? That file has no extension), and some programs (including Windows Copilot and Recall) have extensions from their log files removed (which on Windows it's more of a measure to prevent users from poking around and looking for stuff they're not supposed to be poking around).
Also, Windows is fully capable of opening extensionless files. Of course, you won't be able to assign a permanent application to open them, but you can still open the file by manually selecting the editor that is designed to open that file (if you know the format of the file). Not only that, Windows Command Line is capable of dumping extensionless text files into the console, the same goes for Windows Powershell (or Powershell for those who installed the latest version), and of course Command Line and Powershell don't hide the file extensions even if that is enabled in Windows.
@@kevkevpurple the little timmy would get scared after seeing the .exe file format
@@CZghostExcellent point about protecting users from themselves - you just know someone's going to rename a JPEG to PNG and expect it to work.
On the other hand, even with file extensions shown, you get a warning popup if you attempt to edit the extension - which is all that should really be needed, Microsoft!
ah yes. sending a malicious file to a youtuber who investigates malware. very smart.
I keep asking WHO is behind this Tesla scam, because it is so widespread it CANNOT be a single person, it has to be an enormous group trying to do something that has nothing really to do with crypto. One of the things people used to do a long time ago, and still do, is taking channels with a noticeable following and selling them for a fairly good amount of money, same goes for game accounts.
It's going to be the same scam run by different people. Best you can do is keep track of crypto wallets and the transactions they make
Many different groups.
@@user-in2cs1vp6o probably. There are also known market places where you can buy youtube channels, they go up in value a lot depending on what you are looking for, for example channel age, number of subscribers, monetization, etc. Game accounts because of in-game valuable items, account age, no restrictions in place, hours played, rank. Many variables.
I wouldn't be surprised if the entire thing is sold as a Malware As A Service package. The stealer, the C2 servers, the crypto filler content when they do get access.
Lots and lots of groups from CIS. You can check out some Russian formus like Lolzteam, many of them do this collectively. But Lumma is kinda expensive, so there could be a more profession team.
The malware appears to be sending compressed files with your browser DB to steal your logged sessions. If you look at the packages sniffed in the proxy, they send multipart form data with a file attached. The files have a PK header, which could be a ZIP file. Have you tried to take a look at it? Would be cool if we can see what exactly they are scrapping from victim PCs
Funny thing that, if you copy Firefox appdata file with passwords and logins, and then paste it to another PC with fresh Firefox, it will have all the passes from copied one. I guess this virus uses this vulnerability.
Eric you are criminally underrated you make some great cyber security content which I constantly find myself coming back to
Acai's OBS Plugin Incident was a different approach that ended up with the same
So anyone watching his streams on Twitch this is why chat has to remind him to not download any executables past 9pm his time (US Eastern)
I tried searching for it on YT and google and can’t find it, do you have a link for it?
Would be interesting to see if Smart App Control in Windows 11 can protect against these stealers. It should only allow "known reputable apps" to run, but I haven't seen anyone test that yet. It does have some false positives, but in an environment where security really matters, it might be a good idea to enable it if it does block these threats.
Will try it.
can you do a video on Valorant's anticheat software vanguard?
7:59 correct me if I'm wrong but MingW is a c compiler for windows. I think it uses gcc which is why it shows gnu here.
hope you're near Las Vegas! going to def con sure sounds like a lot of fun
hell- classic.
also funfact no one watched the full vid yet.
glad i dont do sponsorships.
edit: woah i was 1st (actually before eric)
Canadian endermanch
hi, Eric. what happened to the activator video? did you delete it or YT did?
Taken down by CZcams, I appealed.
@@EricParker it seems YT has keyword filters for the subject of video. thanks for reply!
Yeah, since covid they started allowing AI to take down videos without review, sometimes it gets it wrong. On balance it is a good thing.
@@EricParker are you going that upload that video again? CZcams or on another platform?
This actually happened to me. Got a sponsorship from Stray (the game). Turned out to be a fake PDF. I ended up contacting CZcams via Twitter..
The hacker hacked my entire gmail account and locked me out entirely haha. Thankfully, CZcams did help me get my CZcams and gmail account back. Safe to say I invested in safety precautions and a key.
Love the recent videos!!! Keep it Upppp!!!
You should have responded that the download didn't work and that you would like a new link to see what else they would send you.
Awareness of these things must be brought.
We must raise awareness, we can't just keep loosing our channels just like that.
sorry if you’ve been asked this before, but what is the software you use to monitor network traffic? i’m interested in downloading it, i thought it might be glass wire because that’s the only application i’ve heard that does something like this but im not sure
mitmproxy.
The setup I use is a wireguard VPN outside the VM. It can either be a second VM or the host (don't do if the host is windows).
Because of this. I will never login to my account to my computer again until Microsoft fixes this problem
Was looking for a video like this after Nexus got hacked.
Sadly ive seen two channels that i had set the bell on with this happening to them. got a vid notification that i clearly had not subscribed before
Another great video
Controlled folder access says "unauthorised changes" in the description, so it defends against suspicious, high entropy writes that you would see when a file is encrypted for ransomware, nothing else.
Man I need to look at those obvious spam emails in VMs now
Do a video on the new windows WiFi vulnerability
Did you report the website the data was sent to as malicous, so it could be taken down?
you're right, one could notify cloudflare for abuse and boom, cloudflare protection gone from the site
Why don't anti-virus software auto flag reading of cookies in browsers? I can only think of one scenario where it could be useful and that would be installing a new browser and moving all your data over. Or if anything detect the behavior of copying and sending of the cookies file over the internet. I can't think of a use for it not being flagged.
you are so clever! great works man
When hackers sent malware to PC Security Channel i laughed, now i question their IQ level
It's likely automatic
@@chri-k Ye but still pretty funny
Btw on which ending did you finished oneshot? Besides Solstice
@@vladik_yt3186 I don't even remember anymore due to seeing so many let's plays of it. I think it broke the sun?
@@chri-k Good boi
props to you for doing these daily uploads you saw the algorithm was in your favor and you took action and now you’re on your way to become a full time tuber GZ
At 70 mb that is a RAT for sure.
One of my favorite things about these videos is how in most of his Windows VMs he sets the username to Lain
Actually 2 of the biggest gaming channels in sweden got hacked exactly like this today with tesla lives running on the channels.
Good Work!
7:45 I’ve found that sometimes VirusTotal won’t detect malware at all in a file (Kaspersky, Malwarebytes, etc) but upon scanning it on my own system it finds malware, does anyone know why this is the case? I’ve also had a case where a scan didn’t detect any issues (Malwarebytes) but a day later a file I had on my pc for a long time that I created got flagged.
many possible reasons like versions or timing or sigs but did you actually only scan it or also run it? I would like such sample if you are able to scan it with both at same time and both of them showing different results.
@@PaLaS0 I believe it was only scan. It has happened very few times but I do remember distinctly the different results. I’m not too familiar with how virus scanners work but I thought maybe it saw a potential vulnerability with how the file would interact with other files on my computer specifically in comparison to the sandbox in virustotal but I’ve got no idea.
That fucking restart at 10:33 scared the shit out of me. I thought I restarted my own pc
not the polish email adress
I remember watching a video from 2009 called shreks crap or something it wasn't an sml video but it was funny but unfortunately it was deleted along with the channel and I never could watch the video again so all i have now is the memory of it
😔
Day 1 of asking Eric to collab with The PC Security Channel because they sound like the same person
TPSC sounds more "bright"
@@electrolyteorb and eric sounds like tpsc with a voice changer
Miss your Activation exploit vid too bad YT censored
2:48 lain mentioned
8:43 PK header is a zip file
8:14 zip files always start with PK, so those are all non encrypted zip files
This definitely happend to quelaag
The hacker who wanted to hijack Eric Parker's channel to promote Tesla bullshit: "GOD DAMMIT, WHERE IS HIS CHANNEL"
Above time this legand is talking about this Elon musk Tesla live stream scam about damn time
The zip file should have the MOTW. Why doesn't it? If it did, SmartScreen would block the unknown executable.
smart..
I like your user name for your file
They sent Mr. antivirus a malware and thought they will go unnoticed, *amatures*
How WHAT happens to my favorite CZcams Channels?
"PK" prefix means its a zip file
Tristan Tate but computer science
That's exactly what I was thinking. Sounds so much like him.
dont pull a LTT and have it happen to you now lol
bro
lain
Hello
Hi eric
Of course Russian 🙄
classical scam now 😂
hi
Oh eric my love i will die for you my lebron my pookie❤
Is Lumma sold with domains, too? Because this .shop domain is the same pattern as the one from your "Tracking Malicious "Tutorials" on CZcams" video, and the API is the same. Was thinking it may be the same actors, but I guess it might also be a full package you get from them?
API and the software is the same, AFAIK you set it up on your own domain / server.
Most stealer sites look roughly the same, many will also feature a special useragent to make DoS'ing it a bit trickier.
As russian i can say, we love Elon Musk. Thx for scam scheme.
If they got Linus tech tips like this, they should stop making videos asap.
It's actually easier (in general) to hack enterprises than random people. If you want to hack my channel you have to hack me, if you want to hack linus, there are 100 employees of varying levels of tech saviness that could be compromised.
@@EricParkerthis, they probably have editors that don't know about PCs but are great at editing videos
Ween
50th
i love when elon gives free crypto!!!!!!!!11
bro just tried to base64 decode an encyrypted payload lmao
thats about as far as his malware analysis abilities go lol
Yes, I cringe every time when I see that lol@@丷
where's the issue with that?
@@chri-k you can tell just by looking at it that it's nowhere near base64. rookie mistake.
@@AlphaOmegaSigma It looks exactly like base64. In fact, there is a 99% chance that it is base64.
Drop your xmr address for defcon ticket
Appreciated
84zByvq2sPRWBNmbu7NfcFP5LYzR3fyU9CAPUnfs8au6BwNf4f2cqweFKqoaSXw7Ga4BYHgzbJNRqfbTfrYvtigHJYZsA59
lain