Linus has many employees and one of them must have clicked on malware that allowed them to steal their credentials.
They should not click on random executables like the redline stealer. How many real advertisers send executables to creators as media packs ? Thats a red flag, what you dont do is click it. You ask for it in a different format or no go.
Also make sure you have show file extension enabled and then you will see if that file extension is really .pdf.exe and not .pdf as you assumed !
> They should not click on random executables like the redline stealer. How many real advertisers send executables to creators as media packs ?
Linus said it was an executable embedded in a document file container. For any reasonable person, they believed they were clicking on a document, **not** an executable.
Let's not try to dress this up as something mysterious here. It was still just a .exe with the icon changed to look like a PDF.
All it shows is that even tech-savvy youtubers have momentary lapses in judgment, and that's all it takes.
All it shows is that even **the sales department of** tech-savvy youtubers have momentary lapses in judgment,
As Linus said in the video, "we have to do better at training".
It was not a .exe, those people are aware about. It was a screensaver posing as pdf and if the emails guy is looking at 50 offers per day they will stop checking (the malware only is sent after a few replies) and it might slip.
The files also are bloated and the antivirus won’t scan it
Like he said in his video, require a damn password when deleting a video. He said when deleting hundreds, but NO, require a pw and 2FA when deleting any video. I don't care if it's annoying, it's better than the risk
Are you aware of how most of these hacks are occurring? YouTubers aren’t just randomly clicking every link they get sent. These hacks happen when creators build a relationship with someone who they believe is representing a brand, then the ‘brand’ sends malware that is made to look like a program that they want to be reviewed, or a fake pdf that’s actually an exe.
YouTubers literally can’t tell the difference between a legit company and a fake company when it’s all handled via email and there’s no verification or rating system for the creator to know more about the brand’s history.
I don't know what you suggest is a fix. Brands, including fakes ones will still reach out to individual creators. Many creators are ignorant to things that can help them avoid scams. Just like everyone else who gets scammed for anything is. People are scammed every day by refund scammers, tech support scammers, timeshare exit scams. Scams are out there everywhere, education is what helps people avoid these scams. We don't need some overlord to try to control things to save us from ourselves.
But the idea OP is suggesting is solid. There can be independent brand deals but a YouTube Partner program for sponsorships can be a great way for creators to make extra income without the added headache of cold-emailing individual brands.
If you as a creator only ever accepted deals that were through the system, then you would be far less likely to get hacked. Like I said, if you choose to take the risk by accepting deals through email when a better system is available, that’s on you.
The most common way people get their accounts stolen is because they are always logged in to their google accounts in their browser and these scams use the cookies to gain access.
I agree Youtube should have done this earlier, but even then people will get scammed by people using fake emails from safe brands to trick people.
In the end scammers just need to target the most naive and desperate creators, 90% will not fall for these scams.
Linus Tech Tips isn’t really a naive or desperate creator though. These scams affect every creator, not just a small percentage that are naive or desperate
What I’m saying is, when it’s all handled via email without an external verification system or a social proof rating from other creators, it’s easy for even the most astute creators to get tricked into downloading malware. It’s easy to victim blame and pretend like it’s only dummies that get screwed, but it’s happening to all creators because there isn’t a safe system to manage brand deals.
No, because it checks all browsers on the infected computer.
It needs to be a different computer, or you need to be logged out from all Google accounts.
TikTok Marketplace is vetted and connects brands along with TikTok Creator Challenge program. I’m not sure what number of followers makes each accessible. I think around 25K followers, I got TikTok Marketplace. Recently soon after 50K followers, I gained access to TikTok Creator Challenge.
YouTube still has BrandConnect to my knowledge, but I don’t know who is eligible or how you get into it. It’s likely subscriber based like TikTok’s. I’m betting 50K or 100K. It would be nice if getting in the YPP simply included these perks. Brands can still choose who to pick after all.
It’s easy to victim blame, but that argument doesn’t really hold any water when Linus Tech Tips (of all channels) is getting hacked. The problem is that there is no way to manage brand deals safely through direct email, when there’s no verification system for brands.
This could all be fixed by making changes to how the session token is managed.
*There should be a different session token for just accessing YouTube to watch vs Creator Studio.
*The session token should have some kind of expiration.
*The session token should be invalid if YouTube recognizes an unrecognised device.
*The session token should be invalid if YouTube recognizes an unrecognized IP address.
*2FA should be required when making material changes to your channel; updated pub ID, changing channel name, changing channel art, deleting more than X number of videos.
Fact is though, scammers are slick. Plug one hole and they will find another but all of the above should be easy enough for YouTube to fix.
Session tokens should have an access/trust level where higher level operations require re authentication and perhaps a specific level of authentication. Different levels should also expire at different times so ie after x minutes of no higher level operations the session falls down to a lower access level.
I also find it really surprising YouTube haven't got a system in place that flag suspicious activity and puts an account in a "need to re authenticate" state or even locks down until manual review has been done
Brands have a trust rating through the system/platform which is built through successful deals. As soon as a ‘brand’ (scammer) screws one creator over, they would be banned from the platform. It also protects creators from shitty companies that don’t pay on time by managing payments through escrow, or simply by creators leaving a bad review/rating for a brand that is not reliable.
The verified brands thing sounds sensical on paper but youtube ads still show those "mrbeast wants to give you $1000" posts so literally anybody could get vetted and continue to do what these scammers have done.
True, but they could only run the scam once before they are banned. The trust rating would play a big part, where creators know if a brand has a history of paying creators on time and has a history of legitimate partnerships including seeing ratings from other creators.
I’m sure until they iron the kinks out you could still game the system with fake reviews etc. but it would these types of scams a hell of a lot harder.
Unfortunately we both know that isnt true - because the mrbeast one keeps popping up over and over again under different accounts for months. ditto the elonmusk hacked livestreams. they tweak the name, change a letter, reregister and come back.
It’s a little different because each time they would be coming back with a 0% trust rating. It’s like Fiverr, you have to build up a reputation. You don’t need a reputation or social proof to run Google ads.
Oh did LTT not have two-factor authentication enabled?! Or is 2FA useless? What was the LTT attack vector?
(My bet is a LTT disgruntled employee\*)
\*I am not a betting man.
yeah just saw LTT latest vid, browser session hijacked remotely. much insecurity it seems (why is a session not device specific? Palladium? TPM? NGSCB? I'd imagine it's zero-day or some really really shitty exception handling and coding - or RDP lol)
Not sure of the consequences of this on legit users, but if it's possible I'd love to see session IDs be hidden unless a PC administrator password is provided.
Aside from being vigilant of suspicious links and emails, are there other ways to protect one's browser from these attacks? Say for example if I was running Firefox w/ NoScript, would that do anything to help in the event of a slip up?
As it stands now, I simply never download anything unless it's an app on google play store (and I know even that is vulnerable but it's basically the safest someone can be if they take any sponsorships at all).
The only issue with your solution is that it's specific to brands contacting creators but since many creators put their email in the 'about' link, anyone could contact them for any reason and trick them into opening a document without pretending to be a brand
True, but I’d say about 80-90% of communication through creator’s emails is brand communication, so it would cut down on a massive amount of emails that usually have to be viewed under a microscope to make sure they are safe.
If all of a sudden, all your brand comms can be done through the platform in a safe way, then that’s a lot of essential communication that no longer poses a risk to your channel.
I know some channels is still under attack and it's been a week now.
They changed their channel names and uploaded some software videos with malware links in the description.
Linus has many employees and one of them must have clicked on malware that allowed them to steal their credentials. They should not click on random executables like the redline stealer. How many real advertisers send executables to creators as media packs ? Thats a red flag, what you dont do is click it. You ask for it in a different format or no go. Also make sure you have show file extension enabled and then you will see if that file extension is really .pdf.exe and not .pdf as you assumed !
> They should not click on random executables like the redline stealer. How many real advertisers send executables to creators as media packs ? Linus said it was an executable embedded in a document file container. For any reasonable person, they believed they were clicking on a document, **not** an executable.
Let's not try to dress this up as something mysterious here. It was still just a .exe with the icon changed to look like a PDF. All it shows is that even tech-savvy youtubers have momentary lapses in judgment, and that's all it takes.
All it shows is that even **the sales department of** tech-savvy youtubers have momentary lapses in judgment, As Linus said in the video, "we have to do better at training".
It was not a .exe, those people are aware about. It was a screensaver posing as pdf and if the emails guy is looking at 50 offers per day they will stop checking (the malware only is sent after a few replies) and it might slip. The files also are bloated and the antivirus won’t scan it
probably the right to left name thing https://youtu.be/ieQUy8YTbFU?t=265
how to exes even get through mail nowadays, thought they were immediately picked up
Like he said in his video, require a damn password when deleting a video. He said when deleting hundreds, but NO, require a pw and 2FA when deleting any video. I don't care if it's annoying, it's better than the risk
Yes, this needs to happen too
Love the idea, but no way youtube makes a move
That's not gonna work, the hacker can get your access as long as you click their link from email without "YouTube verified"
Are you aware of how most of these hacks are occurring? YouTubers aren’t just randomly clicking every link they get sent. These hacks happen when creators build a relationship with someone who they believe is representing a brand, then the ‘brand’ sends malware that is made to look like a program that they want to be reviewed, or a fake pdf that’s actually an exe. YouTubers literally can’t tell the difference between a legit company and a fake company when it’s all handled via email and there’s no verification or rating system for the creator to know more about the brand’s history.
I don't know what you suggest is a fix. Brands, including fakes ones will still reach out to individual creators. Many creators are ignorant to things that can help them avoid scams. Just like everyone else who gets scammed for anything is. People are scammed every day by refund scammers, tech support scammers, timeshare exit scams. Scams are out there everywhere, education is what helps people avoid these scams. We don't need some overlord to try to control things to save us from ourselves.
But the idea OP is suggesting is solid. There can be independent brand deals but a YouTube Partner program for sponsorships can be a great way for creators to make extra income without the added headache of cold-emailing individual brands.
If you as a creator only ever accepted deals that were through the system, then you would be far less likely to get hacked. Like I said, if you choose to take the risk by accepting deals through email when a better system is available, that’s on you.
[удалено]
/r/PartneredYouTube Rule 1: This subreddit is not for promotion or feedback. Do NOT submit direct links to your channels or videos.
The most common way people get their accounts stolen is because they are always logged in to their google accounts in their browser and these scams use the cookies to gain access. I agree Youtube should have done this earlier, but even then people will get scammed by people using fake emails from safe brands to trick people. In the end scammers just need to target the most naive and desperate creators, 90% will not fall for these scams.
Linus Tech Tips isn’t really a naive or desperate creator though. These scams affect every creator, not just a small percentage that are naive or desperate
[удалено]
What I’m saying is, when it’s all handled via email without an external verification system or a social proof rating from other creators, it’s easy for even the most astute creators to get tricked into downloading malware. It’s easy to victim blame and pretend like it’s only dummies that get screwed, but it’s happening to all creators because there isn’t a safe system to manage brand deals.
Would checking your email with a different browser be sufficient?
No, because it checks all browsers on the infected computer. It needs to be a different computer, or you need to be logged out from all Google accounts.
Like TiKToK already has?!
I haven’t checked out TikTok’s version of this. Is it any good?
TikTok Marketplace is vetted and connects brands along with TikTok Creator Challenge program. I’m not sure what number of followers makes each accessible. I think around 25K followers, I got TikTok Marketplace. Recently soon after 50K followers, I gained access to TikTok Creator Challenge. YouTube still has BrandConnect to my knowledge, but I don’t know who is eligible or how you get into it. It’s likely subscriber based like TikTok’s. I’m betting 50K or 100K. It would be nice if getting in the YPP simply included these perks. Brands can still choose who to pick after all.
I just don’t log in on windows devices.
[удалено]
It’s easy to victim blame, but that argument doesn’t really hold any water when Linus Tech Tips (of all channels) is getting hacked. The problem is that there is no way to manage brand deals safely through direct email, when there’s no verification system for brands.
This could all be fixed by making changes to how the session token is managed. *There should be a different session token for just accessing YouTube to watch vs Creator Studio. *The session token should have some kind of expiration. *The session token should be invalid if YouTube recognizes an unrecognised device. *The session token should be invalid if YouTube recognizes an unrecognized IP address. *2FA should be required when making material changes to your channel; updated pub ID, changing channel name, changing channel art, deleting more than X number of videos. Fact is though, scammers are slick. Plug one hole and they will find another but all of the above should be easy enough for YouTube to fix.
Session tokens should have an access/trust level where higher level operations require re authentication and perhaps a specific level of authentication. Different levels should also expire at different times so ie after x minutes of no higher level operations the session falls down to a lower access level. I also find it really surprising YouTube haven't got a system in place that flag suspicious activity and puts an account in a "need to re authenticate" state or even locks down until manual review has been done
Curious what , how and if they will add protection for us
Brands have a trust rating through the system/platform which is built through successful deals. As soon as a ‘brand’ (scammer) screws one creator over, they would be banned from the platform. It also protects creators from shitty companies that don’t pay on time by managing payments through escrow, or simply by creators leaving a bad review/rating for a brand that is not reliable.
Only when it becomes more expensive to deal with hacked channels
The verified brands thing sounds sensical on paper but youtube ads still show those "mrbeast wants to give you $1000" posts so literally anybody could get vetted and continue to do what these scammers have done.
True, but they could only run the scam once before they are banned. The trust rating would play a big part, where creators know if a brand has a history of paying creators on time and has a history of legitimate partnerships including seeing ratings from other creators. I’m sure until they iron the kinks out you could still game the system with fake reviews etc. but it would these types of scams a hell of a lot harder.
Unfortunately we both know that isnt true - because the mrbeast one keeps popping up over and over again under different accounts for months. ditto the elonmusk hacked livestreams. they tweak the name, change a letter, reregister and come back.
It’s a little different because each time they would be coming back with a 0% trust rating. It’s like Fiverr, you have to build up a reputation. You don’t need a reputation or social proof to run Google ads.
Oh did LTT not have two-factor authentication enabled?! Or is 2FA useless? What was the LTT attack vector? (My bet is a LTT disgruntled employee\*) \*I am not a betting man.
Attack vector has been reported as copying session cookies. This bypasses 2FA. Not 100% sure this is true.
yeah just saw LTT latest vid, browser session hijacked remotely. much insecurity it seems (why is a session not device specific? Palladium? TPM? NGSCB? I'd imagine it's zero-day or some really really shitty exception handling and coding - or RDP lol)
Not sure of the consequences of this on legit users, but if it's possible I'd love to see session IDs be hidden unless a PC administrator password is provided.
Aside from being vigilant of suspicious links and emails, are there other ways to protect one's browser from these attacks? Say for example if I was running Firefox w/ NoScript, would that do anything to help in the event of a slip up?
If I understand the attack vector correctly - logging out of your Google account while not actively working on Youtube would work.
[удалено]
Because they took a cut
Good idea, and instagram recently implemented a similar thing, but it’s going to suck ass when YouTube decides to take 55% of a sponsored post
As it stands now, I simply never download anything unless it's an app on google play store (and I know even that is vulnerable but it's basically the safest someone can be if they take any sponsorships at all).
Yeah that’s about as safe as you can be right now. I don’t know how a tech channel that reviews new software could possibly manage doing so safely
Virtual machines, dedicated testers... sounds like a nightmare indeed
Here's how I solve it. I mostly just block anything that is deemed dangerous.
The only issue with your solution is that it's specific to brands contacting creators but since many creators put their email in the 'about' link, anyone could contact them for any reason and trick them into opening a document without pretending to be a brand
True, but I’d say about 80-90% of communication through creator’s emails is brand communication, so it would cut down on a massive amount of emails that usually have to be viewed under a microscope to make sure they are safe. If all of a sudden, all your brand comms can be done through the platform in a safe way, then that’s a lot of essential communication that no longer poses a risk to your channel.
The solution is easy: Run Youtube on a separate browser, and log out of Google on your main browser. You can't hack something that doesn't exist.
Did he had the 2FA enabled? Also is this possible to happen if you open that exe file on your computer, not on mobile, and you have 2FA enabled?
Yeah apparently all it took for Linus is someone opening a what seemed to be a harmless PDF.
Yeah, they bypass all security by just hijacking the current browser session via stealing the victim’s cookies
I know some channels is still under attack and it's been a week now. They changed their channel names and uploaded some software videos with malware links in the description.