I have many email addresses. It was up to seven for a while there, but now I’ve got it down to a more manageable four. With all these email addresses, I sort through an awful lot of spam, much of which is from scammers who want nothing more than for me to click a link or open an attachment so they can rob me blind.
We all know: yeah, yeah, don’t click the links. But really, how does this work and how bad it can get? My partner sent me an email yesterday with the following spam/scam/phishing horror story that I’d like to share.
I hope this explanation of the mechanics behind this helps inspire you to be ever vigilant about not falling for these scammer tricks.
It’s those damn cookies
Recently, the very popular YouTube channel Linus Tech Tips was taken over by hackers. It started with an email very much like the ones we all get all the damn time:
Your account transfer is complete, click here for the details. — Thanks for meeting with me last week, the document I was telling you about is attached. — We’re hiring! Click here for more about our job opportunities.
Linus or one of his staff received an email that appeared to be from a company that sponsored his YouTube channel before, or maybe it was a new company. The email included a PDF attachment which was supposed to be a proposed sponsorship business agreement. It looked like emails that they received before from various companies. Linus or someone on his staff opened the PDF, glanced at it, and closed the file.
The PDF contained a script that copied all the web browser cookies from Linus’s computer to the hacker’s computer. That’s all the hackers needed to log onto Linus’s various services without any additional authentication. The hackers started streaming a live feed on Linus’s YouTube channels about cryptocurrency which included links to scam websites that offered cryptocurrency investments, which of course, steal your cryptocoin.
Linus and his staff were alerted in the middle of the night and tried to recover control over their YouTube channels, but the hackers kept getting control back. The cookies they stole made their browsers look just as authentic to YouTube as Linus’s cookies. Linus’s channels are big enough so that within a couple of hours, YouTube stepped in and invalided all the session cookies for their logins, and Linus got control back.
This type of hack has been happening with increasing frequency according to organizations that track such things. Some smaller YouTubers never get control back and just abandon their channel.
All of the things that you may be logged into — Dropbox, Google, company servers, banks, YouTube, whatever — all have cookies that, if copied from your computer, could give someone else complete access to those services. I’ve read that banks are a little more careful than some other services and record your IP address or location inside the cookie, so that the cookie will be rejected by the bank if it’s used from a different computer or location. That’s the rumor, anyway. I do not want to test to see if it is true. Obviously Google does not do that for their services to make it easier for clients who are logged in to access their servers from different computers and locations.
So, the moral of the story is to be very very paranoid about clicking links or opening attachments, even when they appear to come from someone you know. If you’re not expecting that email message, it might be fake.
My partner has his web browsers configured to delete all the cookies when the browser is closed. He also closes his browser after finishing his business with financial institutions and at the end of every day. I confess that not only do I keep all my cookies, I keep my browser with its many, many tabs open for weeks at a time. But I think I need to make a change to that…
Finally, when you get one of these scam/phishing emails, don’t just delete it. Report it by forwarding it to reportphishing@apwg.org (the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies). Honestly, I have no idea to what extent this helps, but maybe it does.
Thank you to the wonderful Dave Miller for writing this bulk of this post.
For a longer article about this story, see the Verge’s “How hackers took over Linus Tech Tips,” and definitely watch Linus’ own [entertaining] video about this on his YouTube channel.