Phishing campaign targets YouTube creators with fake deals
CloudSEK's latest research has revealed a phishing campaign targeting YouTube creators, using fake collaboration emails to compromise accounts and spread scams.
The research by CloudSEK's Threat Intelligence Research Team found that cybercriminals are hacking YouTube accounts by sending phishing emails disguised as professional collaboration offers. This discovery underscores the growing risks social media influencers and businesses encounter. Over 200,000 YouTube creators have reportedly been targeted in this campaign.
Phishing emails in this campaign are crafted to appear legitimate offers for partnerships or promotions. They often have subject lines such as "Collaboration Proposal" or "Marketing Opportunity." The emails include attachments or links to malicious files, typically hosted on trusted platforms like OneDrive.
The malicious content frequently consists of password-protected archives containing executables disguised as legitimate documents, such as agreements or promotional materials. Upon extraction, these files deploy malware intended to steal sensitive information, such as login credentials and session cookies, or enable remote system access.
YouTube creators have been predominantly targeted, with attackers tailoring their phishing attempts to suit the audience size and type of content the creators produce. Once a creator's account is compromised, it becomes a tool for the attacker to further disseminate scams or malicious links to the creator's audience.
A real-life example highlights the situation in which a YouTube creator was emailed an offer for a substantial brand deal. The email contained a OneDrive file link with terms and conditions. Once downloaded and opened, the embedded malware compromised the creator's account, allowing attackers to subsequently use it to promote a fraudulent cryptocurrency giveaway.
"This campaign is not just about stealing accounts; it's about leveraging the trust and influence of YouTube creators to amplify scams on a massive scale," said Mayank Sahariya, Security Researcher at CloudSEK. "Attackers are exploiting these accounts to push scams and fraudulent schemes, reaching millions of unsuspecting followers. The scale of this operation means not only financial losses for victims but also long-term reputational damage for creators, highlighting an urgent need for better security awareness and robust protective measures," Sahariya added.
The threat posed is starkly illustrated by the numbers: between 500 to 1,000 phishing emails are sent from a single email account, over 200,000 YouTube creators are targeted, and more than 340 SMTP servers are utilised in the attacks. The attackers have compromised over 46 Remote Desktop Protocols and used more than 26 SOCKS5 proxies to conceal their criminal activities.
Attackers use automated tools to send these phishing emails in bulk, targeting creators based on details accessible from their YouTube profiles. CloudSEK researchers have uncovered extensive logs of the attackers' activities, including email templates and tools used for credential harvesting.
To mitigate such risks, experts advise verifying the authenticity of emails, especially those purporting to be from brands, by contacting those brands through official channels if there is any doubt. It's also recommended that team members involved in account management be cautious of attachments and links from unverified sources, enable two-factor authentication on accounts, regularly monitor for any unauthorised activities, and educate team members involved in account management about phishing tactics.