I'm sure many if not most of you saw that LTT (Linus Tech tips) was hacked the other day, they're far from alone, in fact it's happening to hundreds if not thousands daily on Youtube alone and Google isn't/wasn't doing much about it and it can happen to your account as well and not just for Youtube or Google.
Note:
This initially starts like your typical email attachment fake extension scam, it's not. [/u]
So how it happens is this... You get an email, in LTT's case it was disguised as a rules violation, it often includes an attached file. Yeah, yeah, you know about the extensions, this but what you may not know is that it's not always a PDF or exe file, heck it doesn't even need a second, hidden extension, it can be a .com file. Meh big deal right, well actually this makes it to where even experts are being fooled because now it can simply look like legitimate web link, so instead of a clicking a link to Youtube.com you're actually opening an attached file named Youtube.com without any other extension. You could get a file or link named Google.com, Geekhack.com, yourbank.com or anything else and it will simply look like an innocent, legitimate link to a website because it IS a link. Once clicked, nothing appears to happen giving a false sense of security. In actuality, it runs as an SCR file or screensaver which has the same permission as an exe file but now runs in the background.
What is really new is that it then uploads your session tokens and cookies from ANY AND ALL Chrome based browsers, Chrome, Chromium, Edge, Brave, etc. From here, the hackers basically have an exact copy of your browser, logins and credentials. And because of how Google manages security these days, it doesn't realize it's not you. Even if you're both logged in from two places across the globe. In fact this makes it more of an issue because now you can fight for control and Google can get confused as to which gets priority on a change if you both change a permission at the same time and triggers a bug which can delete files. There's no 2 factor needed, changing passwords doesn't help, booting out all devices is also not going to necessarily fix it if done from the compromised system as it just re-uploads the new tokens as soon as you log back in.
Google is supposedly now working to stop this, however I wouldn't hold my breath as
this is a feature, not a bug.This goes deep into Google's security system and it could require a shift in how they do business, you see they purposely loosened security to make Firefox seem overly annoying, driving users to Chrome and this was how they did it. That said, this hack really did make waves so maaaaybe something will actually happen, if not, we can only hope they will next time they hit someone even bigger. Side note, this was a Google, Microsoft and Apple initiative to eliminate passwords, not just Google, Google just happened to weaponize it to use against Firefox. My bet is we're going to hear a lot more problems now that this is in the wild before we see an end to it. Care to bet MS fixes Edge (through an OS patch) before Google fixes Chrome? (That's a joke, I don't expect either to make a significant leap any time soon)
So what can you do?First, note that VERY few anti-virus (A/V) detect this, because this isn't really taking over the system or accessing system credentials and it has a constant changing signature, they have a hard time detecting it. A good (A/V) will flag it, but unless you have it on strict enforcement it will get through and that's often only on corporate style A/V. Not home stuff.
Second, get off Chrome based browsers (Edge, Chromium, Chrome, Opera, Brave, etc), it forces better login checks with Google. Switching to Firefox has the added benefit of allowing you to use a good adblocker (Ublock Origin).
Third, get off of Windows Mail, Outlook or any other email client that hides extensions attachments and links. Even if you enable viewing extensions, it's not enough due to the com files and even the best of us can be caught this way as it can look legitimate. I recommend enabling view extensions AND switching to a web based email or Thunderbird and just never clicking any link in an unsolicited message.
Fourth, if you get a message about a problem go to their website direct, there's going to be a way to view the problem there. Click nothing in the email.
What to do if you do get hacked this way?Do you want the bad news or the really bad news? This is a tough one because almost everything is linked to your Chrome based browser, which they have a copy of. Your best hope is to make sure you have 2fa enabled (
not that I like 2fa), and
from an uncompromised system, set a new password and immediately log EVERYTHING out of the account. This will stop them for the time being and you can start rebuilding and recovering but you can never use the infected system at all, ever again (or at least until this is fixed), I recommend shredding the hard drive and possibly the motherboard. Seriously, it's that bad. You have no idea if it hit your bios and you have no idea how deep it got in your system. Any use of that drive and motherboard risks them immediately regaining access, because remember, it's the browser and token that's compromised, as soon as it's online again it can just re-upload your credentials again.
Granted, no one is sure if this has impacted the bios/uefi yet, but do you want to risk it? Harsh I know but you never know if it will reinfect in a day, week, or months down the road. Good luck finding the point of entry at that point and by then you may be doing work from home or have you own business and have forgotten about the whole incident. "I can just air gap it", please don't, proper air gaps are difficult these days. Even I.T. professionals do not want to battle this thing, it's simply too risky, you have very little way of knowing it's gone (it can lay dormant) and if it's not, once it sends out your data the cycle begins again. How many times will you fight to regain control of all of your accounts (not just Google) before you can be certain you finally killed it?
I know, parts are not cheap and it's just more e-waste, no one likes trashing good parts, especially I.T. people, we love to re-use parts, but sometimes you have to and this is one of those times. This thing is brutal to deal with, you don't want to deal with it multiple times. And if you have a business and something gets hit and you decide you just save the parts and wait... Don't. Parts always find ways to be re-purposed and people forget, they also tend to ignore warnings. So unless you lock it in a safe, there's a chance someone at your business will decide to use it. People drive around railroad signs and get hit by trains all the time, do you really think they're going to pay attention to a yellow sticky note saying not to use something that looks perfectly fine? Or you might re-use it for something non-critical only for someone later to re-purpose it for something that is and now it begins again. Stuff like this is a nightmare so do yourself a favor and rid yourself of it.
And if you think this is bad, just wait for what's coming with quantum computers.