Desperate Gmail and YouTube users are turning to official and unofficial Google support forums after hackers take over their accounts, bypassing two-factor authentication security and then locking them out. Time and time again, the attackers appear to be part of a cryptocurrency scam supposedly giving away Ripple’s XRP to those responding.
04/13 updates below. This article was originally published on April 12.
Google Users Take To Support Forums As 2FA Hackers Target Gmail And YouTube Accounts
If you scan the various support forums for Google products such as Gmail and YouTube, including Google’s own official forums and those on Reddit, you will always see desperate people asking about account recovery. These usually relate to someone forgetting the password, having their phone stolen, changing telephone numbers and so on. However, when you see a pattern emerging of people whose accounts have been hacked despite having 2FA activated and being unable to recover their accounts, you know something out of the ordinary is happening.
“They changed the two-factor authentication… account recovery is not working and sends me on a loop.”
“The hackers changed the password and the phone number and also edited the two-factor authentication settings.”
“My account, which was 2FA authenticated, can’t login, password-box says in password changed 25 hrs ago. Cannot recover because the genius hacker has changed the recovery email to the same email, and deleted my number too.”
Aside from the number of accounts compromised despite having 2FA protection in place, there appears to be another common denominator in the form of Ripple Labs cryptocurrency—or, rather, scams leveraging XRP.
Ripple Labs Issues XRP Cryptocurrency Scam Warning
Ripple has taken to X in an attempt to spread awareness of the increasing spate of attacks against Gmail and YouTube accounts which are then used to entrap readers and viewers with a variety of scams. The most common of these is what is known as a crypto-doubling scam, which promises to refund twice the amount of XRP that someone sends to what purports to be a genuine Ripple management account. Some of the compromised YouTube accounts have, for example, used deepfake generated video of the Ripple Labs CEO, Brad Garlinghouse, for authenticity.
In an X posting published 11 April, Ripple Labs warns that it will never ask anyone to send XRP and points concerned readers to advice on how to avoid cryptocurrency scams.
How Hackers Bypass 2FA Security
The answer to the question, ‘How do threat actors hack 2FA security?’ is that they don’t. They simply bypass it altogether. It’s most likely that the users who have found themselves locked out of their Google account, with passwords and 2FA details changed to prevent them from getting back in, have fallen victim to what’s known as a session cookie hijack attack. This attack most often starts with a phishing email leading to malware that can capture the session cookies that are designed to help users log in more quickly, get right back to where they left off, and so on. The trouble is, if a nefarious actor can get hold of these cookies after a user has logged in successfully, then they can essentially replay them and bypass the need for a 2FA code. As far as the site is concerned, authentication has already been successful, the user is already logged in. Forbes contributor Zak Doffman has provided an overview of this attack methodology and some of the methods being employed to combat it.
Google Says Users Have 7 Days To Recover Hacked 2FA Accounts
I reached out to Google about the session cookie hijacking problem which it acknowledged is a long existing problem for account security across the internet. “There are techniques we use and continuously update to detect and block suspicious access indicating potentially stolen cookies,” a Google spokesperson told me, “in addition to pushing forward innovations like device bound session credentials.”
For those users whose accounts have already been hacked and their second-factor and recovery factors changed, all is not lost, according to Google. “Our automated account recovery process allows a user to use their original recovery factors for up to 7 days after it changes,” the spokesperson says, “provided they set them up before the incident.”
When it comes to general account security hygiene, Google recommends they ensure the account is set up for recovery so to ensure less friction if they ever need to regain access for whatever reason. “For additional protection, we continue to encourage users to take advantage of security tools, like passkeys and Google’s Security Checkup,” the spokesperson concludes.
04/13 update: It’s not just scamming hackers looking to leverage one cryptocurrency or another that YouTube users need to be alert to, especially if they are gamers. Actually, let me pull focus a little tighter here: those YouTube users who are pirate gamers are most at risk. Threat researchers at Proofpoint have analyzed numerous YouTube channels that are distributing information-stealing malware and targeting the gamer community.
The Proofpoint Emerging Threats researchers say that a range of information-stealing malware is being disseminated via YouTube channels and purporting to be pirated video games or associated software cracks. Using video descriptions as bait, promising viewers tips on how to download video games for free, the links actually end up taking the user to sites delivering a malware payload instead.
If this all sounds bad enough already, be prepared as it gets worse. “Many of the accounts that are hosting malicious videos appear to be compromisedor otherwise acquired from legitimate users,” the researchers said, and that’s not even the worst part yet. The postings also appear to be targeting a young demographic with links professing to be about games popular with children. Something, the researchers said, which makes this particular distribution methodology notable.
A range of different information-stealing malware was found to be distributed this way, including Lumma Stealer, StealC and Vidar. There were also, the researchers said, “multiple distinct activity clusters distributing information stealers via YouTube.” This means it isn’t possible to attribute the campaigns to any specific threat actor or cybercrime group. However, the common denominator is the technical methods employed which were seen to be similar. Besides the gaming lures, the attackers all used similar antivirus disabling instructions along with a method of bloating similar file sizes in an effort to get around security protections. What the Proofpoint researchers can say with certainty is that the attackers are persistently targeting YouTube consumers rather than enterprise users.
As for specifics, Proofpoint cites one compromised YouTube account with 113,000 users and a grey verification checkmark. Nearly all the videos posted by this account were more than a year old, and those all used the Thai language in the videos and their descriptions. However, there were also 12 new English-language videos posted within a single 24-hour period. These had English descriptions linking to malicious sites and were related to video game cracks. The researchers recommend YouTube users look for “significant gaps of time between the videos posted, content that vastly differs from previously published videos, differences in languages,” along with malicious links in the descriptions. The latter, sadly, is easier said than done for many.
Across the course of its investigation, the Proofpoint Emerging Threats researchers said that they reported more than a couple of dozen accounts distributing malware to YouTube users. All of the reported content has been removed by YouTube.