Jump to content

No deal - where’s Simeon?


Fleer

Recommended Posts

Hello friends,
Friday I had the opportunity to get back on the horse and ride back into town with both guns blazing! It is so encouraging to have so many friends and viewers supporting and coming along with me in this life adventure, I am so grateful for that.

if you missed the live, here is the full replay. I unpack some of the aspects of the phishing attack, sharing my experience. I also take a look at a few instruments along the way.

Staying Joyful!

I'M BACK!!! Unpacking The Past Week

 

  • Like 9
Link to comment
Share on other sites

4 hours ago, Simeon Amburgey said:

Hello friends,
Friday I had the opportunity to get back on the horse and ride back into town with both guns blazing! It is so encouraging to have so many friends and viewers supporting and coming along with me in this life adventure, I am so grateful for that.

if you missed the live, here is the full replay. I unpack some of the aspects of the phishing attack, sharing my experience. I also take a look at a few instruments along the way.

Staying Joyful!

I'M BACK!!! Unpacking The Past Week

 

I just watched your video. I was quite inspired by your positivity. It's funny how the people who admit hubris are the least"hubrisome."

How did the vandals overcome your two-factor authentication? Which includes the question, what type of 2FA were you using? I'm considering getting a yubikey after watching your video. Man! Congrats on getting your account back!

  • Like 1
Link to comment
Share on other sites

4 minutes ago, Monomox said:

How did the vandals overcome your two-factor authentication?

As he explained, when he ran the program that they sent to him it used a Chrome extension to capture his browser session cookies. Since the hackers now had authenticated copies of the session cookies, they could impersonate him and take over the YouTube account.

Scary!!! 😧

  • Great Idea 1
  • Sad 1
Link to comment
Share on other sites

44 minutes ago, abacab said:

As he explained, when he ran the program that they sent to him it used a Chrome extension to capture his browser session cookies. Since the hackers now had authenticated copies of the session cookies, they could impersonate him and take over the YouTube account.

Scary!!! 😧

Yeah,
I had been using the Authenticator App when logging in but since they had the SESSION COOKIES (very important), that was how they got around it as it looked like they were using an authenticated device.
 

There is no more helpless feeling than getting a pop up on your phone while you ARE DRIVING asking "Is This You" and the location is the Netherlands, you click NO - NO - NO and try to pull over to change your password but it is already too late. They must use some sort of automation as it happened fairly quickly and mind you my computer was turned off. The Trojan was able to scrape the information it needed to take my Gmail account over and that was extra scary as they had access to my emails on that account. Needless to say, I am working on migrating to a new email address and phasing the compromised one out. 

it was and still is a very sobering experience and has ramped up my thought process on how to move forward more securely.

Thanks again to everyone for their support.

Joyfully,
Simeon

  • Like 4
  • Sad 1
Link to comment
Share on other sites

3 hours ago, Simeon Amburgey said:

Yeah,
I had been using the Authenticator App when logging in but since they had the SESSION COOKIES (very important), that was how they got around it as it looked like they were using an authenticated device.
 

There is no more helpless feeling than getting a pop up on your phone while you ARE DRIVING asking "Is This You" and the location is the Netherlands, you click NO - NO - NO and try to pull over to change your password but it is already too late. They must use some sort of automation as it happened fairly quickly and mind you my computer was turned off. The Trojan was able to scrape the information it needed to take my Gmail account over and that was extra scary as they had access to my emails on that account. Needless to say, I am working on migrating to a new email address and phasing the compromised one out. 

it was and still is a very sobering experience and has ramped up my thought process on how to move forward more securely.

Thanks again to everyone for their support.

Joyfully,
Simeon

I'm sorry this happened to you. I hadn't thought about clearing all cookies when closing the browser as a security measure, but that's where we are. Particularly, cookies for financial services. It's a PITA, but no 2FA will help you if they get hold of your cookies, unless the yubikey works differently and it's required for it to stay plugged in at all times. 

AI will empower the little guys in their scamming, phishing and hacking endeavors, so regular folks like us will see attacks directed to us more often. Not trying to be pessimistic, but it's better to be prepared. It used to be easy to detect phishing attempts because of how badly they were written, but now AI can write that kind of thing. 

Also, they seemed to be in the Netherlands, but they were probably using a VPN, so who knows where these people were located.  

I'm glad everything worked on your favor and that Youtube/Google provided the help that they sometimes don't.

  • Like 1
Link to comment
Share on other sites

8 hours ago, Monomox said:

I hadn't thought about clearing all cookies when closing the browser as a security measure, but that's where we are

I'm guessing the malware app uploaded the cookies immediately after it installed the Chrome extension, so (unfortunately) clearing cookies when closing the browser wouldn't help much if that was the case.

8 hours ago, Monomox said:

It's a PITA, but no 2FA will help you if they get hold of your cookies, unless the yubikey works differently and it's required for it to stay plugged in at all times. 

I don't know much about how a Yubikey works; I'm guessing that it works in the same way though - it generates a one-time-pad (similar to the 2FA), rather than having YouTube constantly checking it like a dongle. I'm happy to stand corrected if wrong though.

Link to comment
Share on other sites

12 hours ago, Simeon Amburgey said:

The Trojan was able to scrape the information it needed to take my Gmail account over and that was extra scary as they had access to my emails on that account. Needless to say, I am working on migrating to a new email address and phasing the compromised one out. 

I would guess that your emails were safe from (roughly) the time you pressed No. My guess is that the active cookies got them into the account, that flagged the login verification, and then when you pressed No it initiated something to lock the account out - maybe invalidating the cookies on Google's end to force a logout.

It's a good idea to migrate, but I don't think they would have had access for too long. Please bear in mind that this is just my guess - I don't have any knowledge about how Google's systems actually work.

  • Like 2
Link to comment
Share on other sites

I'm very happy to see you back. I like your videos and enthusiasm. I even watch when I have absolutely no interest in the product.

Now I'm no IT expert, but it seems to me that just taking over cookies for acces to your account is not exactly watertight. In my opinion, a better solution would be that the "is this you?" email would require you to take action and not just "ignore if this is you". Then again, if they have your email, that would render it mute. Hmm 🤔 

  • Thanks 1
Link to comment
Share on other sites

4 hours ago, Nick Blanc said:

I'm very happy to see you back. I like your videos and enthusiasm. I even watch when I have absolutely no interest in the product.

Now I'm no IT expert, but it seems to me that just taking over cookies for acces to your account is not exactly watertight. In my opinion, a better solution would be that the "is this you?" email would require you to take action and not just "ignore if this is you". Then again, if they have your email, that would render it mute. Hmm 🤔 

Nick, the “is This You” was actually a YouTube app prompt. 
it send a prompt notification to verify a login attempt, you select Yes or No  to confirm. I was selecting NO but the deed was already done and they wasted no time. I was able to see a complete timeline of each step looking at my Google account activity log.

  • Sad 1
Link to comment
Share on other sites

5 hours ago, Simeon Amburgey said:

Nick, the “is This You” was actually a YouTube app prompt. 
it send a prompt notification to verify a login attempt, you select Yes or No  to confirm. I was selecting NO but the deed was already done and they wasted no time. I was able to see a complete timeline of each step looking at my Google account activity log.

I bet they have most of their workflow automated. So by the time you even realize YT is asking for verification, the password has already been changed.

They used your channel to livestream some stuff, what else did they want? Money?

There's a combination of things that should make it almost automatic for YT to return the account to you: a) changed passwords, b) from an unusual location (within minutes (seconds), your account had activity from the U.S. and the Netherlands), c) drastic changes in content (they made ALL your videos private). I can't imagine a scenario where all those things happen at the same time in normal circumstances. YouTube should be smarter about this.

  • Like 1
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...