Attackers Use Old YouTube Feature in Phishing Attack to Send Messages from Legitimate Email

A new phishing campaign using a YouTube feature that helps attackers send emails from a valid email has been making the rounds. Google is already investigating the issue, and our telemetry shows the phishing campaign is live.

Spam filters can quickly determine if an email is part of a phishing campaign, and one way to do that is by looking at the email address that sent the message. While a spoofed address might trick a user by looking like a real one, the server won’t make the same mistake.

Now, attackers figured out a way to abuse a feature in YouTube that would allow them to send messages from the real [email protected], making it much more difficult for users to determine if an email is genuine.

According to a Hackread report, content creator Kevin Breeze was the first to notice the phishing emails, showing that they are actually from a legitimate email address.

YouTube was quick to respond on Twitter, warning people to be vigilant.

“Heads up: we’re seeing reports of a phishing attempt showing [email protected] as the sender. be cautious & don’t download/access any file if you get this email,” said the company.

It turns out criminals use an old feature that lets a channel share a video by email. By renaming the channel to something that resembles the company, like YouToubeTeam, for example, the email looks legit at a glance.

Reading the email gives a very different vibe. The user is informed of a change to “YouTube rules and policies.”

“If you received this message, you need to confirm the new monetization policy and rules,” reads the fraudulent email.. Please use the link below to download the document and confirm the rules by clicking on the link in the document, also the document is attached to the email. This document is for private access only (YouTube Content Creators), so it is password protected.”

“Please note that if you do not confirm these rules, your access will be restricted in 7 days, including: ·Uploading new videos ·Editing old videos ·Receiving monetization ·Receiving earned monetization funds.”

Giving the phishing message a sense of urgency is a classic technique and something that should immediately sound the alarm. The grammatical errors are just the icing on the cake. Of course, the link in the email points to an infected attachment. The channel is already gone after being deleted by Google, but other channels with similar names are bound to show up.

We spotted the email message in our own telemetry (check it out below), so the campaign is clearly ongoing. The campaign will likely continue until Google finds a way to deal with this new attack vector.