a recent phishing attack perpetrated through YouTube has once again shown that hackers’ ingenuity is always a few steps ahead, no matter how hard the platforms put into strengthening security. In days gone by, hackers carried out an identity theft campaign posing as the popular video platform belonging to Google. But what really stood out was that the emails used came from an address @youtube.com.
This means that the phishing attack It was made through an official channel of YouTube communication. However, it does not mean that hackers have stolen an official email address to use for malicious purposes. What they did was exploit the system that allows sharing videos by email, obtaining dangerously effective results.
The official details of this impersonation campaign have not been revealed, but it has been determined how the attack worked in general terms. What the malicious users did was create YouTube channels with names similar to the official ones —YouTubeTeam, for example—, and upload videos that were listed as private. In this way, the content could not be found by users through the search engine.
Those videos had titles like “YouTube Rules and Policies Changes | Check Description”. While in the description itself it was where the phishing attack happened. There, the hackers introduced a link to Google Drive where the victims had to enter their account data, because otherwise they would supposedly lose them. As you can imagine, the information fell into the hands of malicious actors, who took control of the attacked YouTube channel and the linked Gmail account.
A new phishing attack generated from YouTube
But what is really important here is the distribution method of the malicious posts. As we said at the beginning, the campaign was carried out through the direction firstname.lastname@example.org; that is, an official email from YouTube. To do this, they took advantage of the tool to share videos by e-mail.
When sharing a private video by email, a message was generated that incorporated the title of the video in the subject of the email. Thus, the victims received a message that, for example, indicated: “YouTubeTeam sent you a video: Changes to YouTube Rules and Policies | Please review the description”. With a title that looked like a formal communication and an official YouTube sender, it is impossible for someone not to have fallen for this phishing attack. At least until the alarms were activated on social networks.
The big problem here is that this identity theft campaign has managed to break a golden rule that, until now, guaranteed to prevent this type of hack: verify the veracity of the sender. Until not long ago, checking the email address was the easiest option to know if we were being victims of a phishing attack. But it is evident that now it is no longer enough.
On countless occasions we have come across email messages that replicated in detail the aesthetics, typography and content of the communications of certain platforms for fraudulent purposes. However, it was pretty easy to tell if it was legit or not.
If a warning about changes to YouTube seemed real, but came from an address like @youtube-mailroom.cryptoIt didn’t take much thinking to rule it out. But if phishing campaigns can now be spread with official tools, a defense that was not as infallible as we thought has been broken. And just as this time has happened with YouTube, it is impossible not to think that something similar could happen with other services.
Changes to mitigate spoofing
In the case of YouTube, changes have been applied in recent days to try to prevent this option from continuing to be exploited. Specifically, it has been decided to modify the format of the messages that are received when someone sends you a private video. Instead of incorporating the title of the video in the subject line, the email just says “A private video has been shared with you”. However, nothing guarantees that this is enough to avoid falling into the trap.
It is clear that phishing attacks are constantly evolving, so it is necessary to always be vigilant. If you receive emails that you find suspicious, do not click on the links in them or download any attachments. It doesn’t matter if they come from a legitimate address. A quick Google search can help you identify if it is a legitimate campaign or a phishing attempt.