By now, most Sri Lankans on the internet would have already seen the countless Facebook posts, tweets and YouTube commentaries about the TV Derana hack fiasco. In case you missed it: the TV Derana YouTube channel was hacked on 29 August, or rather hijacked, to live-stream a cryptocurrency scam. Within the span of a few hours, the channel displayed the cryptocurrency stream and nothing else. The channel was even renamed to “Crypto News” — at which point copycat accounts and commentary videos already started showing up to take Derana’s place.
The YouTube channel has now been restored and Derana has regained control. The channel is a YouTube partner account, which means it has direct access to YouTube’s priority support 24×7 — hence the overnight restoration. “We would’ve been able to recover it sooner but due to the timing of the incident and the fact that our partner managers are at the Google Singapore office, things were a little bit more arduous,” General Manager of Digital Media at Derana, Janeeth Rodrigo, told Roar Media.
Rodrigo explained that the attackers exploited a vulnerability in one of the remote access software and gained access to a PC with pre-existing access to the TV Derana YouTube channel. This had enabled the hijackers to change the account’s login details as well as recovery emails and phone numbers without triggering the Two-Factor Authentication (2FA).
Not An Isolated Incident
Amid the hacking, the confusion and, finally, the restoration, there was speculation that the incident was nothing more than a negative marketing strategy. While the idea is an amusing one, the facts suggest otherwise.
For starters, this wasn’t an isolated incident. Several other YouTubers, from musicians Hakeem Prime and Alok Official to the likes of JKK Entertainment, a channel with 30 million+ subscribers had already complained about their channels getting hacked for a cryptocurrency video stream over the past few days.
It’s also not the first time this has happened on YouTube. Last year, hackers took control of several popular YouTube channels in a similar fashion. Live-streamed clips of well-known figures like Elon Musk and Jack Dorsey were followed up by renaming the channels and adding popular keywords to improve the stream’s discoverability. Just like the feed on Derana’s channel, the video was surrounded by messages asking viewers to send a particular type of cryptocurrency with a custom link embedded in the description. It was reported that hackers made as much as USD 10,000 after two hours’ worth of live streaming. It’s unclear how much the attackers made off with this time.
The attack is also reminiscent of a similar incident that took place on Twitter in the same year when several high-profile Twitter accounts such as those belonging to Bill Gates, Jeff Bezos and Elon Musk were used to promote a bitcoin scam via an internal Twitter tool.
An Unresolved Problem For Tech Giants
Following last year’s incidents, both Ripple’s CEO Brad Garlinghouse and Apple Co-founder Steve Wozniak sued YouTube over the fraudulent content. Garlinghouse claimed that the company’s inaction on its platform damaged Ripple’s reputation. Wozniak shared similar sentiments, alleging that Google allowed bitcoin giveaway scams to thrive while using his likeness. However, these lawsuits have left some unanswered questions regarding the scams.
Cryptocurrency scams are nothing new. Back in 2017, bitcoin’s price started at USD 1,000 but shot up to almost USD 20,000 in less than a year. This made bitcoin and other cryptocurrencies more mainstream. All of a sudden, everybody was talking about it; but with this came a wave of cryptocurrency scams as well.
It is an increasingly worrying trend, one that big tech platforms seem to be failing to address. Even with Google’s ad policies in place, scams continue to exist. One study found that YouTube users lost USD 24 million in bitcoin during just the first six months of 2020 alone.
A part of the problem is the sheer volume of malicious content that comes through these platforms. In 2019, Google removed 2.3 billion bad ads. Navigating through such a volume presents a challenge on its own.
But from a broader perspective, an argument could be made on whether these companies are incentivised to actively curb malicious content at all. Advertising is the lifeblood of platforms like YouTube and Facebook. So, the more rules that are imposed, the more adverts will drop from the platform. Such active involvement may also prompt users to rebel and potentially even move away from the platform.
Sri Lanka’s Unanswered Question
In relation to the Derana incident, Rodrigo said that the company has now deployed its own VPN in order to allow internal teams to securely access their work PCs from home. He also said that Derana will be conducting a complete cybersecurity audit to identify all vulnerabilities.
So what should one do? Not every account will have access to services like TV Derana’s YouTube channel. It starts with preventive measures at the individual level. Enabling 2FA whenever possible, using unique passwords for every digital account and using a trusted password manager are all simple viable steps that could potentially minimise security risks.
At an organisational level, Rodrigo recommends a few extra steps such as utilising an in-house VPN where remote work is involved, restricting remote access to priority PCs, and keeping your softwares and antivirus guards updated, among other measures.
However, this is only a part of the equation. Incidents like the Derana hack indicate a larger problem about Sri Lanka’s digital presence and the general attitude towards cybersecurity. The fact that a 3 million+ subscriber YouTube channel belonging to such a high-profile mainstream media entity can be hijacked so easily should be alarming. Then again, Sri Lanka doesn’t have the best track record when it comes to cybersecurity.
The question of how much importance Sri Lanka places on cybersecurity remains unanswered and the continuous lack of attention translates to expensive repercussions — particularly amid a pandemic, and a growing number of scams of this nature. They say that prevention is better than cure — and that’s no different when it comes to cybersecurity.