How Linus Media Group Channels Fell Victim to Session Hijacking: A Cybersecurity Wake-Up Call

Dr. Mario J Pérez-Rivas
12 min readMay 7, 2023

--

Linus Sebastian, “wait me up when a have a channel to upload to”[Source]

Linus Tech Tips, a popular technology YouTube channel with over 15 million subscribers, along with two other channels under the Linus Media Group owned by Linus Sebastian, recently fell victim to a debilitating cyber attack. The attacker used a technique known as session hijacking to compromise the channels and broadcast fraudulent content featuring Elon Musk discussing cryptocurrency. What’s particularly concerning about this incident is that the attacker did not need Linus’s password to carry out the breach.

In this blog post, we’ll delve into the details of session hijacking, the technique used by the hacker to carry out this attack. We’ll also analyze the response time of the security team involved in handling the incident. Additionally, we’ll discuss the impact of session hijacking on businesses and individuals, as well as provide tips on how to protect yourself against similar attacks.

Understanding Session Hijacking and its Mechanics

Session hijacking, also referred to as cookie hijacking or session fixation, is a type of cyber attack that involves stealing a user’s session token. This token is a piece of data that verifies the user’s identity when they log in to a website. Once a hacker gains access to this token, they can impersonate the user and carry out actions on their behalf without requiring any additional authentication, such as a password.

The process of session hijacking is illustrated in the sequence diagram below:

To gain a better understanding of session hijacking, refer to the sample code provided below for a practical visualization of the concept. This code sequence includes functions that simulate the process of creating a session token, authenticating the user, and performing actions on a website. Additionally, it illustrates how an attacker intercepts and steals the session token, impersonates the user, and performs actions on their behalf without requiring additional authentication. This code is a useful tool for comprehending the vulnerabilities in the session token process that attackers can exploit to carry out session hijacking.

function createSessionToken() {
console.log("Creating a session token for the user");
return "sample_session_token";
}

function authenticateUser(token) {
console.log("Authenticating user with the session token");
return token;
}

function performUserActions() {
console.log("Performing user actions on the website");
}

function interceptToken(token) {
console.log("Attacker intercepts and steals the session token");
return token;
}

function impersonateUser(token) {
console.log("Attacker impersonates the user using the stolen token");
return token;
}

function performAttackerActions() {
console.log("Attacker performs actions on the user's behalf without needing a password or other authentication");
}

function sessionHijackingExample() {
const sessionToken = createSessionToken();
authenticateUser(sessionToken);
performUserActions();

const stolenToken = interceptToken(sessionToken);
impersonateUser(stolenToken);
performAttackerActions();
}

sessionHijackingExample();

The sample code contains several functions, including createSessionToken(), authenticateUser(), performUserActions(), interceptToken(), impersonateUser(), and performAttackerActions(). When the sessionHijackingExample() function is executed, it simulates the sequence of events, with each step printed to the console as it occurs. It’s important to note that this code is only a simulation and does not compromise any security or perform any real actions.

Session Token Extraction: A Look into the Linus Tech Tips Breach

In the Linus Tech Tips incident, one of Linus’s employees unintentionally downloaded malware when they tried to access a PDF file. The malware subsequently extracted the session token from the employee’s browser and transmitted it to the attacker. With the stolen token in their possession, the attacker could send requests authenticated as Linus, effectively bypassing the need for a password or two-factor authentication. To gain a better understanding of how this attack took place, refer to the attached diagram, which visually outlines the sequence of events that occurred during the breach.

Based on the workflow above and the educational code, we can describe the session hijacking used to attack the Linus Tech Tips YouTube channel as follows:

function downloadPDF() {
console.log("Employee attempts to download a PDF file");
return false;
}

function downloadMalware() {
console.log("Malware is downloaded instead of the PDF file");
return true;
}

function infectBrowser() {
console.log("Malware infects the employee's browser");
}

function extractSessionToken() {
console.log("Malware extracts the session token from the browser");
return "sample_session_token";
}

function sendTokenToAttacker(token) {
console.log("Malware sends the session token to the attacker");
return token;
}

function attackerAuthenticates(token) {
console.log("Attacker uses the session token to authenticate as Linus");
return token;
}

function attackerSendsRequests() {
console.log("Attacker sends requests to the website without needing a password or two-factor authentication");
}

function linusTechTipsIncident() {
const isPDFDownloaded = downloadPDF();

if (!isPDFDownloaded) {
const isMalwareDownloaded = downloadMalware();

if (isMalwareDownloaded) {
infectBrowser();
const sessionToken = extractSessionToken();
const stolenToken = sendTokenToAttacker(sessionToken);
attackerAuthenticates(stolenToken);
attackerSendsRequests();
}
}
}

linusTechTipsIncident();

Again, this is solely for providing a coding perspective and is not intended for attacking any site. The purpose is purely educational.

Unraveling the Stages of the YouTube Channel Hacks

Tech Channels Under Attack

Tech Channels Under Attack The attack on the YouTube channels began when the Linus Tech Tips account was renamed to Tesla (“testlaonline1”) and started streaming a podcast-style recording of Elon Musk discussing cryptocurrency (see snapshot below).

“Linus Tech Tips” YouTube channel was renamed to “Tesla” with the username “testlaonline1” during the cyber attack.

First Urgent Alert

According to Linus Sebastian, he was notified about the cyber attack on the YouTube channels by Stephen Burke early in the morning on March 23rd, in the British Columbia time zone, which is assumed to be Linus’s place of residence.

Linus Tech Tips Fights Back Against Cyber Attack

The channel owner, Linus Sebastian, initially attempted to mitigate the attack by making the streams private, revoking the channel’s stream key, and resetting account credentials.

Linus Sebastian and his team, including his wife, worked to restore the channels by making the streams private, revoking the channel’s stream key, and resetting account credentials.

Despite the owner’s efforts to mitigate the attack by making the streams private, revoking the channel’s stream key, and resetting account credentials, the attacker was able to quickly regain access and resume the live streams. This back-and-forth continued for a few hours, during which Linus Tech Tips, Tech Linked, and Techquickie accounts were used to host the Elon Musk crypto streams.

The attackers gained control of the channel and launched a live stream featuring an old video of Elon Musk and other notable figures talking about cryptocurrencies.

Crypto Giveaway Scam Modus Operandi

Even though the streams were not scams themselves, they were connected to a deceitful website that promised to double the returns for every Bitcoin sent. The attack consisted of multiple phases.

Scammers designed a phishing site for a $100 million crypto giveaway [Source]

The scammers designed a sophisticated phishing website that claimed to offer a $100 million cryptocurrency giveaway, and lured participants into sending their crypto assets to specific addresses with the promise of doubling their investments. Figures below provided more details.

The purpose of the live stream was to promote a fake cryptocurrency giveaway that promised to double the investments of those who participated. [Source]
Please, 🙏 do not send 💸💰 crypto to these addresses. These are the addresses as posted on the scam crypto web pages affiliated with the multiple Linus Tech Tips Media Group YouTube channel hijack, and are for educational and analyst purposes only. 🔍📈[Source]

The Scammers

The scammers were able to collect a significant amount of funds through the session hijacking, without returning anything to the victims. Analysis of transaction records revealed that they were able to steal $5,170.65 USD worth of Ethereum (after fees), $293.91 USD worth of Dogecoin, and $1,450.55 USD worth of Bitcoin, resulting in a total of $6,915.11 USD being scammed. Below, see a detailed transaction list:

The scammers received 293.91 USD worth of Dogecoin.
The hackers managed to scam 1,450.55 USD worth of Bitcoin.
Furthermore, the attackers were able to obtain a significant amount of funds through the session hijacking. According to our analysis, they were able to steal 5,170.65 USD worth of Ethereum (5180,64 USD after fees).

End of the Scan

A YouTube spokesperson confirmed that they worked with the Linus Tech Tips team to secure and restore their account after being alerted about the unauthorized access. After a few hours, the accounts were deleted. However, they were restored a few days later to their status before the cyberattack.

The channels remained closed until March 25, 2023.

Forensic Analysis

After collecting the information above about the stages of the YouTube channel hack, it is necessary to analyze the attack in detail to understand what happened and what steps can be taken to prevent similar situations in the future.

The point of compromise

From the above description, the session hijacking can be primarily simplified as follows:

By examining the level of activity from both the channel owner and attacker, the key questions to consider are: who was the target, what was the motivation behind the attack, and what was the role of the platform owner or security team during the incident?

Target and Motivation

The Session Hijacking attack was specifically aimed at targeting crypto investors. In summary, the threat can be described as follows:

Threat Actors are shown in gold, the attack vector in light blue, the targets/motivation are coloured in light green, and the impact from is depicted in red.

The diagram illustrates the connections between the Perpetrators, Unknown Hackers or Hacking Group, and Scammers involved in the attack. The hackers employed techniques like Exploited Session Tokens and Bypassed Conventional Security Measures to target YouTube Channels. Meanwhile, the scammers set up a Phishing Website to deceive Crypto Investors into sending their assets to specific addresses. The motive behind both groups was Financial Gain, as indicated by their connections to the respective perpetrators. The impact of the attack resulted in the Loss of Control over the YouTube channels, Streaming Fraudulent Content, potential financial losses, and the Unauthorized Collection of Crypto Assets from deceived investors. The scammers were able to scam around $7,000 through their phishing campaign.

Incident Response Process

At this point, we will try to gather all available information provided by the Channel Owner. However, we must exercise caution as there is no additional information provided by Google subsidiary YouTube, who is responsible for security and incident responses

The time stamps should be based on the GMT -7 time zone of Victoria, BC, as it is known to be the residence of Linus Sebastian. Additionally, the information was taken from the video after the hack,[Source]. Therefore, the timeline may be partially biased towards the attacked person and cannot be traced back to log files or any other traceable records.

Based on the analyzed and refined information, we have derived the following noteworthy insights:

Insights derived from the analyzed and refined information

1. The security team received formal notification about the attack 20 minutes after Linus Sebastian, the owner, was informed. However, the session hijacking is believed to have occurred nearly 1 hour prior. This prompts the question: Can YouTube not monitor channels with millions of subscribers in real time and apply security protocols and surveillance tools to avert attacks?

2. Stephen Burke was the first individual to detect the hack. This leads to the question: How did Stephen become cognizant of the hack, and what evidence brought this discovery to light?

3. An additional inquiry that emerges is: Why did Linus Sebastian attempt to remove everything independently? He mentioned that he lacked knowledge on how to eliminate credentials on his own, yet he undertook various IT-related tasks for several hours.

4. Comprehending YouTube’s typical standard procedure for managing such incidents is crucial. Are there no GPS-related logging mechanisms or other measures established to track and impede unauthorized access?

Financial Impact:

The Linus Media Group generates an estimated $1,592,032 per month from YouTube AdSense, with the amount varying depending on the number of video views received in a given month. This translates to approximately $52,067 per day and $2,169 per hour. The earnings for the most recent month would have been close to this estimation, as broken down in the following details:

Source

During the 5.1 hours of the attack, the Linus Media Group lost approximately $11,061.9. After the channels were closed for almost two days, there were additional losses incurred. There are 24 hours in a day, so two days equal 48 hours. To calculate the income loss during this time, multiply the hourly income by the number of hours the channel was closed: $2,169 per hour * 48 hours = $104,112

👉💸💻💔 In summary, during the 5.1-hour attack and the subsequent two-day closure of the channels, the Linus Media Group lost a total of approximately $115,173.9 in potential YouTube AdSense revenue.

For educational purposes, see the Lua code below to compute the income loss during the cyber attack and channel closure. Note that we have not included the potential loss of followers or reputational damage as a consequence of this event. This cybersecurity analysis is intended only for educational purposes.

This Lua script calculates the total income loss for the Linus Media Group during the 5.1-hour attack and the subsequent two-day channel closure using the given constants. It then prints the results of the calculations.

Lessons Learned

The channel owner realized the importance of boosting 🚀 training and processes within their organization to avoid future attacks. He emphasized several key aspects that could contribute to strengthening the security of his channel:

Enhanced Training and Processes 📚: It’s crucial to educate oneself about potential security threats, best practices, and the latest cybersecurity trends. Regular training sessions, workshops, and simulations can help raise awareness and foster a proactive security culture. This includes teaching oneself how to recognize phishing attempts, use strong and unique passwords, and report suspicious activity.

Improved Security Options for Channel Attributes 🔒: The channel owner suggested implementing additional security measures for critical channel features, such as access control, video uploads, and live streaming settings. This can be achieved by introducing granular permissions and role-based access to limit potential attack vectors and minimize the risk of unauthorized access.

Rate Limiting and Authentication Prompts ⌛: Rate limiting restricts the frequency of certain actions, such as login attempts, within a specific time frame. This can help prevent brute force attacks and reduce the likelihood of unauthorized access. Additionally, implementing authentication prompts for specific actions, like changing account settings or initiating live streams, adds another layer of security to confirm the user’s identity.

Robust Session Token Policies 🎟️: Session tokens are used to authenticate users during their browsing sessions, and they can be vulnerable to hijacking if not properly secured. The channel owner proposed implementing time-based expiry for session tokens, which automatically logs users out after a predetermined period of inactivity, reducing the window of opportunity for attackers. Location-based authentication, which requires users to verify their identity when accessing the channel from a new location or device, can also help prevent unauthorized access.

Note that the potential loss of followers or reputational damage as a consequence of this event has not been included. This cybersecurity analysis is intended only for educational purposes. By addressing these areas, the channel owner hopes to create a more secure environment 🛡️ for their channel and mitigate the risk of future cyber attacks 🕵️.

Considerations for Platform and Channels Owners

I would like to recommend that both the security team responsible for channel protection and the platform owner (YouTube) take the following steps:

🛡️ Prioritize security: This incident underscores the importance of prioritizing security, especially for high-profile channels and accounts. Implementing security protocols and monitoring tools can help prevent or mitigate attacks.

🔑 Regularly update credentials: It is essential for the channel owner to frequently update and change passwords and other credentials to deter unauthorized access. In this case, Linus Sebastian had difficulty removing credentials after the attack, suggesting they may not have been updated regularly.

📋 Have a formal response plan: Developing a formal response plan can help reduce the damage caused by an attack and ensure the channel owner is aware of their roles and responsibilities. This can also prevent confusion and delays in communication, which are crucial during an incident.

🔍 Monitor channels closely: While it may be difficult to track channels with millions of subscribers in real-time, it is vital to monitor them closely and respond quickly to any suspicious activity or unauthorized access.

🗣️ Be transparent and communicate with viewers: Following an attack or security incident, it is important for the channel owner to maintain transparency with viewers and communicate any updates or information about the situation. This can help preserve trust and prevent the spread of speculation or rumors.

By adhering to the points mentioned above, organizations and individuals can better protect their channels and accounts from potential cyber attacks.

👋 Thank you for taking the time to read this blog post. Your feedback is greatly appreciated as it helps me to continually improve my content. Your input is valuable to me and I look forward to hearing from you. Thank you again for your support and for being a part of this community. 🤗

--

--

Dr. Mario J Pérez-Rivas

Passionate about science, in love with technology, and committed to my entrepreneurial endeavors. https://www.dr-perez-rivas-consulting.com/