YouTube has become a new battleground for cybercriminals to launch phishing attacks, spread malware, and promote fraudulent investment schemes, according to a recent report by Avast, a leading security vendor.
Avast's researchers highlighted the use of tools like Lumma and RedLine in executing phishing attacks, creating scam landing pages, and distributing malicious software. YouTube functions as a traffic distribution network, guiding unsuspecting users to these harmful sites, thus facilitating various levels of scams.
The platform is also experiencing a surge in deepfake videos, which are used to mislead viewers with hyper-realistic but fake content, thereby spreading disinformation. Avast discovered multiple high-subscriber accounts, each with over 50 million followers, that were compromised and repurposed to disseminate cryptocurrency scams utilizing deepfake technology. These fraudulent videos often feature fake comments to deceive viewers further and include links to malicious sites.
Researchers identified five primary methods through which YouTube is exploited by cybercriminals. These include sending personalized phishing emails to YouTube creators, proposing fake collaboration opportunities to gain trust and eventually send malicious links. Additionally, attackers embed malicious links in video descriptions to trick users into downloading malware. They also hijack YouTube channels to spread other threats, such as cryptocurrency scams.
Moreover, cybercriminals exploit reputable software brands and legitimate-looking domains by creating fraudulent websites filled with malware. They produce videos that use social engineering tactics, guiding users to supposedly helpful tools that are actually malicious software in disguise.
Avast attributes its advanced scanning technology to protecting over 4 million YouTube users in 2023 and around 500,000 users in the first quarter of this year alone.
Trevor Collins, a network security engineer at WatchGuard, stresses the importance of educating employees and security teams about these threats.
"Regular education is essential. Make people aware that there are scammers out there doing this," Collins says. "In addition, train and reassure them that it's OK to notify either their security team or other people within the company if they've gotten an unusual request — for instance, to provide login credentials, move money, or go buy a bunch of gift cards — before acting on it."
