Unidentified attackers appear to have gained access to an account used to manage Vevo YouTube channels. However, it is reasonable to assert that the attackers weren't prepared for their attack to succeed in the first place.
First Published 13th April 2018
Sympathy for the record industry?
3 min read | Reflare Research Team
Unidentified attackers appear to have gained access to an account used to manage Vevo YouTube channels. Vevo is a conglomerate of several music publishers who jointly publish their content on YouTube and other channels for monetization. Since it hosts official versions of popular pop songs, Vevo is one of the largest YouTube channels by view count.
After attackers gained control of the Vevo account they took some videos down altogether and replaced others with violent imagery.
How did this happen?
Official statements by YouTube claim that the Vevo account was compromised through no fault of YouTube. This would indicate that a password was either guessed, stolen, or acquired by social engineering and/or insider action. Such attacks are quite common and often employed by attackers of all skill levels. While the public image of cyber attacks is very technical, many real-world attacks rely on such basic password guessing or stealing mechanisms. YouTube’s statement is credible since only Vevo videos were affected. If an attacker had breached the security measures of YouTube itself, much more lucrative attack monetization strategies would be available.
Overall, the easy-to-detect deleting and replacing of videos indicates that the attackers were, like the proverbial dog that caught the car, unprepared to convert their success into material gain.
Protecting user accounts
Stolen or guessed user account credentials are at the core of a surprisingly large percentage of cyber attacks. It is thus important for individuals to follow 5 basic rules when using passwords:
1) Your passwords must be random
2) Your passwords must be unique for every service
3) You may not share or write down your passwords
4) Use Two-Factor Authentication whenever possible
5) Always verify the identity of the site before entering your password
Organizations must additionally take care to:
6) Enforce rules (1) - (5) for all members
7) Restrict access for every member as much as possible
8) Remove access for users leaving the organization
9) Prevent sharing of accounts between several individuals. Training and awareness programs may help in increasing compliance with such rules within the organization.