YouTube sites in Korea being hacked by crypto promoters

A person uses a laptop. [SHUTTERSTOCK]

Big-name YouTube channels — including those run by the Korean government, broadcasting companies and a popular hip-hop label — have fallen victim to hackers' attack due primarily to loose security.

The YouTube channel of the Korean government was hacked around 3 a.m. on Sept. 3, according to the Ministry of Culture, Sports and Tourism. The name of the channel switched to SpaceX Invest, broadcasting a cryptocurrency-related video by Elon Musk.

On Sept. 1 and 2, YouTube channels of the National Museum of Modern and Contemporary Art and the Korea Tourism Organization were hacked in a similar way.

Other big YouTube channels, including those of hip-hop label AOMG, were hacked earlier this year. In July, seven channels under the local broadcaster SBS and magazines, such as Vogue Korea, were attacked.

Individual YouTubers are no exception. A popular camping YouTube channel with 560,000 subscribers has been attacked, where a video on guidance to illegal downloading software was shared.

Security industry insiders presume attackers are intentionally seeking the kick-off period of the Yoon Suk-yeol administration to grab more attention.

"It is difficult to identify the real purpose of the attackers, but it looks like hackers are trying to draw the attention by hacking big YouTube channels and uploading cryptocurrency-related videos," said Park Tae-hwan, team leader at AhnLab's security emergency response center.

"Targeting the government's channel would have been to gain attention amid sociopolitical changes taking place.

"Each organization should check their security response system as now may be an experimenting period for bigger attacks."

Experts say the bigger the channels are, the easier it is to be hacked as the password of the channel is shared by many.

For the case of one of the Ministry of Culture, Sports and Tourism's YouTube channels that were hacked earlier this month, the password was shared with several subcontractors and those in charge of the video channel.

"If the attack was on the YouTube platform itself, the damage may have been bigger and Google would have released an official announcement," said Kim Seung-joo, a cybersecurity professor at Korea University.

"But this was not the case.

"Administrators of these channels should be more alerted."

The three typical methods of hacking include using information stealer, or infostealer, malware, phishing attack and credential stuffing.

The infostealer malware is spread through spam e-mails and attached files shared on various websites, stealing usernames and passwords saved on web browsers.

Hacking through infostealer malware accounted for 66.7 percent of all malware used in the first half of 2022, according to AhnLab, an antivirus software company in Korea.

A phishing attack is another way. Attackers that fake social media websites will send e-mails saying that the user's account will be locked or someone had tried logging onto the user's account. Once the user opens up the e-mail and clicks the URL sent in the e-mail, the username and password will be immediately shared when the user logs on through the URL.

Credential stuffing, which refers to a cyberattack method where hackers collect stolen account credentials and attempt to log in to services using the data, is another method attacker use to hack users' accounts.

The username and password information could be sold on the dark web, which is usually not accessible through regular browsers. There are also cases where company insiders are approached for the attack.

Most IT service providers, including Google, Meta and Naver, provide login records. If there are login attempts found in South America, the Middle East and South East Asia, it is highly likely that the user's personal information is shared on the dark web or the hacker is intentionally trying to show that the account was accessed in multiple countries using the IP address changer software.

Setting two-factor authentication can help block this access, according to security experts.

Not accessing any URLs and attached files received from untrustworthy sources and changing passwords every three to six months are also recommended.

To find out if user account information has been leaked, navigate to Korea Internet & Security Agency at https://kidc.eprivacy.go.kr.

BY KIM JUNG-MIN [cho.jungwoo1@joongangco.kr]