summary
- Phishing Attack: Cybercriminals use fake brand collaboration emails to target YouTube creators.
- Malware Disguise: Malicious files are hidden in password-protected attachments like contracts or promotional materials.
- Cloud Hosting: Attackers leverage platforms like OneDrive to host malware, adding a layer of credibility.
- Sensitive Data Theft: Malware steals login credentials, financial information, and grants remote access.
- Wide Reach: Over 200,000 creators targeted globally, with thousands of phishing emails sent via automated tools.
CloudSEK’s threat research team has disclosed details of an advanced new phishing campaign targeting YouTube creators. According to CloudSEK’s investigation, shared exclusively with Hackread.com, scammers are using fake brand collaboration emails to steal accounts and spread scams to millions of followers.
Campaign Analysis
Report author Mayank Sahariya notes that this sophisticated phishing campaign involves impersonating trusted brands to distribute malware through fake collaboration offers.
Attackers begin by scraping email addresses from YouTube channels, likely using a specialized parser tool. This allows them to target creators and organizations directly. With email addresses in hand, attackers use browser automation tools to send bulk phishing emails.
Next, the attackers send cleverly crafted emails that appear to be legitimate business proposals from well-known brands. These emails entice recipients with lucrative collaboration deals and include enticing compensation structures based on subscriber count. The malware is cleverly disguised within attachments such as Word documents, PDFs, or Excel files, often masquerading as promotional materials, contracts, or business proposals.
“At the end of the email, the threat actor includes instructions and a OneDrive link to access a zip file containing the agreement and promotional materials, secured with the password,” the report read.
The extracted files reveal four files, including Digital Agreement Terms and Payments Comprehensive Evaluation.exe, which is a malicious payload. Once downloaded and extracted, the zip file unleashes a malicious script disguised as a harmless file format, such as “webcams.pif.” This script leverages AutoIt3 automation software to execute further malware hidden within the archive.
To further bypass detection, the attackers host these malicious attachments on cloud storage platforms like OneDrive (form this ID- [email protected] created on August 15, 2024), protected by passwords. This tactic adds a layer of legitimacy, as recipients might expect collaboration agreements and promotional materials to be password-protected.
Once a curious YouTuber downloads the attachment, the malware installs itself on the victim’s system. This malware is designed to steal sensitive information, including login credentials, financial data, and intellectual property. In some cases, it can even grant remote access to the attacker, compromising the entire system.
Who are the Targets?
According to CloudSec’s blog post, this global campaign primarily targets businesses and individuals involved in marketing, sales, and executive positions. These individuals are more likely to engage with brand collaborations and promotions, making them prime targets for this phishing scheme.
So far, this campaign has targeted over 2 lakh YouTube creators, involving 500-1,000 phishing emails sent from a single email account and around 340+ SMTP servers have been weaponized for attacks.
To stay protected, YouTube creators should be cautious of unsolicited collaboration offers, especially password-protected attachments. Always double-check email addresses, and contact brands directly to confirm the legitimacy of collaboration offers. Also, avoid downloading attachments from unknown senders, even if password-protected to protect valuable data.
RELATED TOPICS
- Scammers Rake in $600K with YouTube Deepfakes
- YouTube Channels Hacked to Spread Lumma Stealer
- Fake YouTube Android Apps Used to Distribute CapraRAT
- New YouTube phishing scam using authentic email address
- Get Paid to Like Videos YouTube Scam Empties Your Wallets