Scammers are abusing YouTube as a new way to promote backdoored phishing templates and provide potential buyers with information on how to use the nefarious software, Proofpoint researchers warn.
Because cybercrime is a business, crooks are constantly searching for new means to advertise their products to increase gains. For some, YouTube seemed like a good selling venue, and they decided to promote their kits on this legitimate website.
A search for “paypal scama” returns over 114,000 results, but buyers are in for a surprise, Proofpoint reveals. To be more precise, while the kits work as advertised, they also include a backdoor that automatically sends the phished information back to the author.
Proofpoint security researchers stumbled upon several YouTube videos that linked to phishing kits, templates, or to pages offering more information on these. The videos were created to show what the templates looked like and to instruct potential buyers on how to collect the phished information.
One of these videos, for example, showed an Amazon phishing template meant to replicate the legitimate login page on the web portal. The video’s authors instructed interested parties to contact them via a Facebook page.
When analyzing the code taken from another example of a phishing template that has been downloaded from a link on a similar video, the security researchers found the author’s Gmail address hardcoded in it. Thus, the author would receive the results of the phish each time the kit was used.
The same kit included a secondary email address that was also receiving the stolen information. What the security researchers didn’t manage to figure out was whether the same author included both addresses in the code or someone else added the second one and decided to redistribute the kit.
A PayPal scam analyzed by the researchers revealed that the cybercriminals attempted to avoid suspicion by adding a PHP include for a file called style.js just before the PHP “mail” command is used to send the stolen credentials. The style.js file, however, was found to include more encoded PHP code. The hidden command in the code was also meant to send the phished information to the author.
“Many of the video samples we found on YouTube have been posted for months, suggesting that YouTube does not have an automated mechanism for detection and removal of these types of videos and links. They remain a free, easy-to-use method for the authors of phishing kits and templates to advertise, demonstrate, and distribute their software,” Proofpoint says.
The security researchers say that they found multiple samples where the authors included backdoors that allow them to harvest the phished credentials even after other actors purchased the templates to use them in their own campaigns. The victims of phishing attacks suffer the most, because they have their credentials stolen by multiple actors each time the backdoored kits are used.