YouTubers sell phishing kits in plain view

YouTube appears to be the latest host of cybercrime advertising, as researchers unveil that they've found criminals advertising phishing kits on the video hosting site.

YouTube is being leveraged to sell phishing kits
YouTube is being leveraged to sell phishing kits

Cyber-criminals have been using YouTube as a combined technical support desk and malware distribution channel.

Researchers from Proofpoint uncovered bad guys posting 'how to' videos showing prospective purchasers of their phishing kits how to set them up and get going.

If that wasn't bad enough, the comments section underneath contained the working  download links for the phishing templates and kits.

Proofpoint says "many of the video samples we found on YouTube have been posted for months, suggesting that YouTube does not have an automated mechanism for detection and removal of these types of videos and links."

Which mean they remain a free and dead easy-to-use method for the authors of phishing kits and templates to advertise, demonstrate, and distribute their wares. And, at the same time, adds to the pool of lowlifes putting your business at risk of getting caught up in a credentials heist.

The researchers went on to perform a simple search for 'paypal scama' and it returned more than 100,000 results.

It wasn't all good news for those in the market for an illegal get a bit better off than you were before in a shortish time promotion; the sellers had included a backdoor in their kits that sent any scammed credentials straight to them.

While the use of these backdoors is nothing new, the Proofpoint researchers reckon they hadn't seen YouTube being used as a malware advertising, support and distribution channel like this before.

Dr Malcolm Murphy, technology director for Western Europe at Infoblox, told us that "lots of genuine content sites that provide a comment facility can be subverted in this way."

Unfortunately, it seems that YouTube is not the only service being subverted in this way. Andy Norton, risk officer EMEA at SentinelOne, says that "Facebook has a community of Carders profiles; people who advertise, sell and recruit others for the purposes of extracting money from stolen bank accounts and credit cards."

And information security consultant Javvad Malik warns that "the YouTube comment section is notoriously bad, with fake accounts masquerading as popular youtuber accounts leaving comments with malicious links."

Jason Hart, CTO for data protection at Gemalto, reckons the best way to mitigate against these threats is through awareness. "For enterprises, the weakest link is their own employees" he said "so it's not just about investing in the latest security solutions, but rather educating staff about these types of threats, how to spot and avoid them."

And Malik adds that "another step enterprises can take is to have reliable and up to date threat intelligence that can be used to detect any signs of compromise at the earliest stages." At least that way, if an internal machine starts up a communication with a known C&C server, or exhibits other activity consistent with indicators of compromise, it can be stopped before becoming a major incident.

Sign up to our newsletters