The recent YouTube phishing attack has once again demonstrated that the ingenuity of hackers is always a few steps ahead, no matter how hard the platforms try to improve security. In the past, hackers ran a phishing campaign impersonating a popular Google-owned video platform. But what really caught my eye was that the emails used were from @youtube.com.
This means that the phishing attack was carried out through the official YouTube channel. However, this does not mean that the hackers stole the official email address for evil purposes. They used a system to share videos via email, with dangerously effective results.
Official details of this phishing campaign have not been released, but it has been established how the attack worked in general. The attackers created YouTube channels with names similar to the official ones – for example, YouTubeTeam – and uploaded videos which were left on the list as private. Thus, the content could not be found by users through the search engine.
Cyber security.
image source: freepik.com
These videos had titles such as “YouTube Rules and Rules Changes | See Description”. While the description itself indicated where the phishing attack took place. There, the hackers entered a link to Google Drive, where the victims had to enter their account details, otherwise they would lose them. As you can probably guess, the information fell into the hands of attackers who took control of the attacked YouTube channel and associated Gmail account.
But what really matters here is how the malicious messages are distributed. As we said at the beginning, the campaign was broadcast to [email protected]; i.e. official YouTube email. For this, a video sharing tool by email was used.
Emailing a private video generated a message with the title included in the email subject. For example, victims received a message that said, for example: “YouTubeTeam sent you a video: YouTube rules and policy changes | Read the description.” With a title that looked like an official YouTube post and sender, it’s impossible for anyone not to get hit by this phishing attack. At least until the social media alarms go off.
The big problem here is that this phishing campaign managed to break the only golden rule that has so far guaranteed the prevention of such hacks: sender authentication. Until recently, verifying an email address was the easiest option to know if we were victims of a phishing attack. But it is clear that this is no longer enough.
Phishing mitigation changes
In the case of YouTube, changes have been made in recent days to try to prevent the further use of this option. In particular, we decided to change the format of the messages that are received when someone sends you a private video. Rather than including the title of the video in the subject line, the email simply states “You have received a private video”. However, there is no guarantee that this will be enough to avoid falling into the trap.
It’s clear that phishing attacks are constantly evolving, so you should always be on the lookout. If you receive emails that you think are suspicious, do not click on any links in them or download any attachments. It doesn’t matter that they come from a legitimate address. A quick Google search will help you determine if this is a genuine campaign or a phishing attempt.
See also: Microsoft has stopped Xbox warranty repair in Russia.
Read the latest sports news from the world on The Eastern Herald .
