Now Reading
Explaining The Recent ‘Hack’ Of Linus Tech Tips YouTube Channel

Explaining The Recent ‘Hack’ Of Linus Tech Tips YouTube Channel

by Low Boon ShenMarch 31, 2023
What's your reaction?
Me Gusta
Sad Reacc

Explaining The Recent ‘Hack’ Of Linus Tech Tips YouTube Channel

For 15 million people at least, they probably are aware of the channel Linus Tech Tips – one of the biggest tech YouTube channel out there. But as big as they are, they’re not immune to breaches – as the events unfolded last week has proven so. Since then, everything has been recovered and back to usual order, but what can we learn from this incident, and protect against attacks like these in the future for you, as a creator or just a regular user?

Rundown: It all started from a “PDF” File

Before that, you can read here on what happened that day, and details of the incident across multiple Linus Media Group (LMG) channels. The simplest explanation: someone in the company (Linus says it’s from marketing team) accidentally opened a file containing malware disguising as a PDF file.

Explaining The Recent 'Hack' Of Linus Tech Tips YouTube Channel

The “PDF” file – which is 770MB in size (filled with junk data for the most part) to circumvent against antivirus scans. Image: The PC Security Channel (YouTube)

This is what we commonly refer as ‘phishing’ or ‘social engineering attacks’. As computer systems themselves are quite secure by itself given many modern safety checks across the system, but it won’t stop a user from unknowingly disable or bypass a security check if they are directed to do so, especially to those who don’t have as much knowledge relating to cybersecurity.

The file in question is referred as ‘info stealer’, and as the name implies, when executed through social engineering attacks (meaning, user opening the file) – the file will not open as a PDF, and will simply do nothing in plain sight. At this point, the user may be confused by this odd file that can’t be opened, but by the time they figured out something is off, the malware has already done its job and proceed to begin the next phase of attacks. Linus says all of these can be done as little as 30 seconds – most users wouldn’t notice a thing happening in this short time period.

‘Info Stealer’? What does it steal?

Linus Tech Tips YouTube Channel

LTT was hacked last week. Image: YouTube

You’d expect the info stealer would be looking for something like email addresses and password, since that is, in theory, all that matters to login websites. Well, that’s what Linus himself thought too, and he was scrambling for hours trying to reset passwords and 2FA (two-factor authentication), but to no avail. This kind of attacks do not require passwords or email to be known, attackers only need one thing – Session Tokens.

Session Tokens is a type of cookies stored in your device, which acts like a quick access keycard. Ever used the “keep myself logged in” feature on websites? When enabled, the website will save a session token to the device it’s logged into, so next time when you come back to the website, it’ll look for the cookie and skips the login process for you. Like a quick access keycard vulnerable to RFID cloning – Session Tokens are also vulnerable in this way, as malware can simply copy the cookie itself and grants attackers access to the account as if they’re physically there.

Am I Safe? What Can I Do?

We all have seen YouTube channels, big or small, get hijacked before – and the patterns are more or less the same, with crypto scams livestreaming on the compromised channel. If you’re just a regular user, this kinds of attacks are less likely to target you, the average Joe. Content creators however must pay extra attention to the file coming from emails. This video from The PC Security Channel has summarized on how such attacks work (including circumventing antivirus protections):

There’s a few security practices that you, regardless of who you are, are advised to do. First line of defense: knowledge. Pay attention to file types, NOT the icons. File icons can easily be forged, but filetype extensions are not: whenever you see something that ends with anything other than *.pdf, then it is NOT a PDF file. Example:

  • Marketing.pdf (this file is in PDF format, safe to open)
  • Marketing.pdf.exe (this file is in EXE format, hence this is a program, thus dangerous to open)
  • Marketing.scr (this file is a screensaver, while not an EXE, can still infect systems through different methods)

More importantly – Windows by default hides the file extension letters to avoid people from renaming it by accident. However this is also another design flaw that allows users to be tricked into opening the wrong file. To reveal file extensions, click on File > Options (Windows 10) or select ‘Options’ from the three dots (Windows 11), select View tab, and uncheck this option (highlighted):

Explaining The Recent 'Hack' Of Linus Tech Tips YouTube Channel 26

Now all your files should reveal their file extensions in their formats (such as .jpg, .mp4 and so on) – usually when renaming the file Windows will avoid it for you and will explicitly ask you in order to change the file extension format should you actually need to do so.

Second line of defense: Security. Should the social engineering attacks managed to bypass the human element, this is where antivirus can come in and block the malware from running before it delivers its payload. Microsoft’s own Defender antivirus contains some degree of behavioral detection, which will attempted to block any file performing suspicious activities such as bypassing security checks, generating new files, injects code into memory and any kind of common behavior seen in malwares. Other antivirus solutions should work in similar ways.

However, if all else fails, this is your final line of defense: Backup. While ransomware attacks aren’t as common as it used to be a few years ago, backing up data is still a very effective way of recovering from a badly compromised system, or if you’re unsure if the system has been totally clean of any bad actors. Having a multi-layer approach in security is important, and they make sure that if one were to be compromised, the other layers can still operate and protect the user in some ways.

Info Source: Linus Tech Tips (YouTube) | LMG Clips (YouTube) | TPSC (YouTube) | Microsoft | MalwareBytes

About The Author
Low Boon Shen
Is technology powered by a series of tubes?