An IP metadata perspective into Matthias Wandel's YouTube account hack

Matthias Wandel is a popular YouTuber with a woodworking and engineering channel. He covers all kinds of genius inventions on his channel, and I have been watching his content for over a decade. His YouTube account was compromised recently through phishing and session hijacking.

:link: YouTube channel got hacked: how, investigation, timeline, and recovery. - YouTube

But hacks like this could happen to any of us, as all the bad actor needs is a moment of bad judgment from us. We will practice a threat intelligence operation with IPinfo’s IP metadata to analyze what went wrong and determine how to prevent this.

Prerequisites:

Initial email

The initial email came from a website called crainc***c[.]com. By looking up the website, it looks legit:

They have social media pages, and their owner’s name is mentioned in the email.

However, they are in the crane and truck rental business and are NOT associated with video editing software services. It is highly unlikely for them to email people YouTubers’ regarding sponsorship.

We can look up the IP address of the website’s server using the IPinfo CLI.

ipinfo crainc***c[.]com

As we can see, the website server is based in the United States, and the ASN is a well-known hosting service.

We can conclude that, in this instance, it is likely that crainc***c[.]com’s service was compromised in some way. However, I cannot provide a more conclusive opinion without Matthias’s email headers. If you have access to the email headers, you can look up the IP addresses from the email headers on our website and get all location, ASN and other IP metadata information. I will write a post about this another day.

The followup email

The followup email is where things get interesting. The followup email came from blackma***design[.]tech.

When we visit the site, it redirects to the official Blackmagic website, which is suspicious.

VirtualBoxVM_2B1LTW1Ruq-ezgif.com-optimize

Looking up the website in IPinfo’s CLI, we can see that the website is hosted on a server out of Russia.

ipinfo blackma***design[.]tech

Aside from the server being located in Russia when Blackmagic Design is an Australian company, we can notice some suspicious domains hosted on the IP address. This will be our baseline for threat prevention.

Mattias Wandel then provided more context around Session hijacking and how he recovered his account.


Sharing our data around this context.

The owner of the server IP address, AS197695, is one of the largest AS in Russia with about 2 million domains hosted.

If you would like to block their ranges, here is the list:

AS197695 IPs (github.com)

I recommend that the user use ASN range blocking instead of country range blocking. But in either case, feel free to use our free IP to Country ASN database.

Snowflake Query using IPinfo's IP to Country ASN database
SELECT
  flat_data.value as AS197695_ips
  FROM (
    SELECT public.range2cidr(start_ip, end_ip) as ip_range
        FROM public.country_asn
        WHERE ASN='AS197695'
    ) as_ips,
TABLE(FLATTEN(as_ips.ip_range)) flat_data

This information was generated using our free IP to Country ASN database on Snowflake.

Considering the sheer volume of domains they host, it is best to use an IP-based firewall to protect your infrastructure instead of a domain-based firewall.

Moving forward, the IP address 31.31.198.106 IP Address Details - IPinfo.io has 2,268 domains hosted on it.

image

31.31.198.106 Hosted Domains

curl “ipinfo.io/domains/31.31.198.106?token=$token

The vast majority of these domains have the .ru TLD. So, to keep things light, here are some of the domains they own without the .ru TLD.

3131198106 domains (github.com)

This information was generated using our Hosted Domains database.


If you have any follow-up questions, feel free to drop them below.