- Jan 24, 2011
- 9,378
A US man, Matthew A. Buchanan, has admitted that he and his accomplice jimmied open YouTube accounts via Google's password-reset recovery process and then set the YouTube channels up with AdSense to milk them of at least $55,897 (£33,891).
Court papers filed on Thursday detailed how, over the course of squeezing YouTube for AdSense profits, Buchanan and his conspirator also came across a vulnerability that gave them access to AOL employee's email accounts, right up to the inbox of the AOL CEO himself.
According to the Washington Post, Buchanan told a federal judge in Alexandria, Virginia that he had modest formal education - he holds only an associate's degree in general studies from Montgomery College - and the only professional experience he could recall was working at a grocery store when he was 16.
None of that stopped Buchanan from cooking up two ways to weasel accounts from their rightful owners.
Starting around June 2012 up until 11 September 2013, Buchanan and John T. Hoang Jr. used these two methods to take over Google accounts:
So after they'd hijacked the Google accounts, Buchanan and his buddy linked the YouTube channels to AdSense accounts under their control.
The advertising revenue then skipped over victims' pockets, flowing into the crooks' AdSense accounts before being transferred into their personal bank accounts.
Buchanan and his accomplice dazzled themselves with the brilliance of the scheme.
Read more: http://nakedsecurity.sophos.com/201...d-youtube-channels-to-milk-adsense-for-money/
Court papers filed on Thursday detailed how, over the course of squeezing YouTube for AdSense profits, Buchanan and his conspirator also came across a vulnerability that gave them access to AOL employee's email accounts, right up to the inbox of the AOL CEO himself.
According to the Washington Post, Buchanan told a federal judge in Alexandria, Virginia that he had modest formal education - he holds only an associate's degree in general studies from Montgomery College - and the only professional experience he could recall was working at a grocery store when he was 16.
None of that stopped Buchanan from cooking up two ways to weasel accounts from their rightful owners.
Starting around June 2012 up until 11 September 2013, Buchanan and John T. Hoang Jr. used these two methods to take over Google accounts:
- They wrote a script that searched YouTube and returned publicly available account names associated with popular videos that hadn't been monetized with AdSense. The script identified 200,000 of these accounts. They then submitted bogus password resets on the account names, exploiting a flaw that revealed a Google account holder's primary email address during the password reset process. After finding the primary email address, the conspirators then got at victims' accounts by guessing their security question answers or by using password-cracking software.
- The second method involved exploiting secondary email addresses. Some Google users had concocted what they thought were nonexistent email accounts during the Google account registration process because they couldn't be bothered to open a genuine secondary account. While some of those email accounts were truly nonexistent, some of the accounts in fact were controlled by Buchanan, including dog@yahoo.com, dog@aol.com, bill@aol.com, pat@aol.com and lucas@yahoo.com. The conspirators submitted bogus password resets on the primary email address, and then they picked up the temporary passwords that were delivered to the secondary email addresses under their control.
So after they'd hijacked the Google accounts, Buchanan and his buddy linked the YouTube channels to AdSense accounts under their control.
The advertising revenue then skipped over victims' pockets, flowing into the crooks' AdSense accounts before being transferred into their personal bank accounts.
Buchanan and his accomplice dazzled themselves with the brilliance of the scheme.
Read more: http://nakedsecurity.sophos.com/201...d-youtube-channels-to-milk-adsense-for-money/
