Cybercrime , Data Breach , Fraud Management, Cybercrime

Hackers Deface Popular Videos Published by Vevo

Pilfered Access Credentials Could Be to Blame
Hackers Deface Popular Videos Published by Vevo
Two hackers claimed credit for defacing a handful of popular musical videos, including "Despacito" by Luis Fonsi. (Source: YouTube)

A handful of popular music videos published on YouTube were defaced on Tuesday, with two hackers claiming credit. But Google, which owns YouTube, says that tampering didn't occur directly on its platform.

See Also: Live Webinar | Phishing Like the Bad Guys: Social Engineering's Biggest Success

One of the affected videos is Luis Fonsi's "Despacito," a Spanish tune that recently notched just over 5 billion views on YouTube. The BBC reports that the tampering also affected videos by artists including Shakira, Selena Gomez, Drake and Taylor Swift.

At one point, the video "Despacito" would not play. Instead, it had a video still from the TV series "Money Heist" of masked people in red hooded outfits pointing guns. The titles of some videos were replaced with the message "Free Palestine." After the defacements, the videos appeared to be taken offline.

" We are continuing to investigate the source of the breach."
—Vevo

Google says the tampering did not occur on its side. Vevo, which is a joint venture of several major music labels, uses YouTube as a publishing outlet.

"After seeing unusual upload activity on a handful of Vevo channels, we worked quickly with our partner to disable access while they investigate the issue," Google says in a statement.

Vevo said on Tuesday that a number of its videos "were subject to a security breach today, which has now been contained."

"We are working to reinstate all videos affected and our catalogue to be restored to full working order," Vevo said. "We are continuing to investigate the source of the breach."

In September, Vevo was attacked by a group calling itself OurMine, Gizmodo reported at the time. The group posted a heft 3.1TB of data online, most of which appeared to be internal documents, the publication reported.

'I Love YouTube'

Two hackers going by the nicknames Prosox and Kuroi'sh claimed credit for the attack against Vevo. Prosox, who posts some messages in French, appears to maintain the Vevo attack was a prank.

Although it's somewhat difficult to draw a clear meaning of the messages posted in English, Prosox says a script was used to change the title of the videos.

"Don't judge me," Prosox writes. "I love YouTube."

In another tweet, Prosox indicates more harm could have been done, such as deleting all of Vevo's videos. Prosox directed one tweet at Vevo, writing that "you have all my respect but do not leave the control to your site to any developer."

That may be a subtle allusion to an access control issue. It's possible that Prosox and Kuroi'sh obtained access control credentials, which may have given them access to Vevo's content management system. Efforts to reach Prosox via Twitter were unsuccessful.

Entertaining Targets

The Vevo incident is the kind of prosaic prank that harks back to the band of attackers known as LulzSec, which carried out a string of high-profile attacks aimed at embarrassing those who were compromised rather than making a profit.

LulzSec was a loose-knit offshoot of Anonymous that carried out an extensive campaign of website defacements and attacks again government agencies. The group succeeded in causing a fair amount of turmoil, and its escapades included breaches at the security company HBGary Federal, the Public Broadcasting System, Sony and Fox.

LulzSec's logo. (Source: Wikipedia)

But the group's noisy promotion of itself on Twitter and other social media caused it to draw attention from law enforcement agencies around the world. By 2012, it was largely inactive after arrests in the U.S., U.K., Spain and the Netherlands (see: LulzSec Leader Strikes Deal with Feds).

The entertainment industry is often the target of attacks. In November, the Justice Department charged 29-year-old Iranian man in relation to a $6 million extortion attempt against entertainment company HBO.

Behzad Mesr, is accused of accused of compromising accounts of HBO employees, allowing him to steal scripts for unaired episodes of the popular show "Game of Thrones" and other confidential information (see: Feds Indict Iranian Over 'Game of Thrones' Hacks).


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network