Welcome to our April 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.
This month, we look at a scam targeting YouTube content creators, the traditional tax-related phishing campaigns that occur at this time of year and a new report highlighting a surge in email-based scams attacks.
YouTube warns of monetisation scam
Content creators on YouTube are being warned about a phishing campaign regarding an apparent “new monetisation policy”.
Users can monetise their YouTube channel if they create original content, have 1,000 subscribers and 4,000 watch hours. The revenue comes through advertising, with YouTube inserting commercials in their videos.
More than 2 million people are signed up to YouTube’s Partner Program, which enables them to collect ad revenue. Whether they consider content creation a full-time job or simply a way to make extra cash, news that the company is changing its monetisation policy is no doubt cause for concern – making it an ideal lure for phishing.
⚠️ heads up: we’re seeing reports of a phishing attempt showing no-reply@youtube.com as the sender
— TeamYouTube (@TeamYouTube) April 4, 2023
be cautious & don’t download/access any file if you get this email (see below)
while our teams investigate, try these tips to stay safe from phishing: https://t.co/x9Ysnm9SSm https://t.co/MNQtrB7zbx
The scams are highly realistic, and come from the address “no-reply@youtube.com”, which is almost indistinguishable from the legitimate address “noreply@youtube.com”.
The message contains the subject line “Changes in YouTube rules and policies | Check the description”, and includes a video that has been shared with the user.
It comes from the channel YouTubeTeam, which mirrors the legitimate channel TeamYouTube. It’s unclear exactly what happens when you follow the link, but there are several tricks that scammers could pull.
The link could direct users to a mock-up of YouTube’s website and ask them to log in for security purposes. This should be an immediate red flag, because all YouTube – owned by Google – requires users to link their channel to a Gmail account, so they should already be logged in.
Anyone who has provided their login credentials when responding to this message should assume that they’ve handed their password to the scammers.
If a fraudster gains control of a channel, they could use it to launch additional scams – such as uploading content that encourages users to follow bogus links, with crypto scams being particularly popular.
Alternatively, the fraudster might hold the channel owner to ransom, demanding payment in order to relinquish control.
Another possibility is that the link could take users to a bogus version of YouTube in an attempt to install drive-by downloads. These are pieces of malware hidden within pop-up adverts or error messages.
When you click one of these links, you inadvertently give permission to download malware, which can then perform any number of tasks. For instance, it could monitor users’ keystrokes or encrypt the user’s files in a ransomware attack.
YouTube has said its team are investigating the phishing campaign. “We’re seeing reports of a phishing attempt showing no-reply@youtube.com as the sender,” it tweeted.
“Be cautious & don’t download/access any file if you get this email.”
Death, taxes and phishing scams
April brings with it the end of the financial year and the requirement to submit tax returns. In the US especially, where forms must be submitted by next week – this time of year is rife with scams.
Familiar phishing campaigns often revolve around the threat of missed deadlines or a request to hand over W-2 forms, which can be used to file fraudulent tax returns. But the cyber security research group Securonix has unearthed a new campaign from a threat group dubbed Tactical#Octopus.
The gang are targeting people in the US with bogus emails that contain a password-protected zip file with names that look as though they relate to tax forms, such as “TitleContractDocs.zip” or “JRCLIENTCOPY3122.zip”.
Anyone who opens the attachment will discover two files: a .png image and a shortcut (.lnk). If the recipient opens the shortcut, a VBScript is launch, which contains nonsensical sentences that are designed to avoid detection by antivirus software.
This makes way for the PowerShell code, which uses further obfuscation methods to evade detection and install a payload. This connects to the attackers’ command and control channels, enabling the attackers to access the targeted system.
According to the Securonix researchers, the malware was observed capturing clipboard data and recording keystrokes.
The researchers added that the IP address of two of the three command and control channels were registered to a company called Petersburg Internet Network in Russia.
“This could indicate Russian origins […] However the possibility of false flag operations cannot be ruled out at this point,” the researchers wrote.
“Since all the samples that Securonix Threat Research identified are fairly recent, it’s clear that this campaign is still ongoing. Businesses and individuals should be extra vigilant when opening tax-related emails, especially as the tax deadline in the US approaches,” they added.
Report on phishing discovers alarming rise in attacks
Cofense released its 2023 Annual State of Email Security Report last month, which revealed a surge in phishing attacks over the past year.
The report, which collates data received from 35 million people across the world, found a 569% increase in phishing attacks.
According to its analysis, malware was proportionately more common in phishing attacks, with Emotet and QakBot remaining the two most common strains.
Emotet is a banking Trojan that’s considered one of the most destructive forms of malicious software because of the number of ways it can infect victims. It can be used to launch ransomware, steal passwords and intellectual property, or act as a conduit to other organisations.
QakBot is a more complex strain but equally damaging. It’s a two-stage attack that doesn’t contain any malicious software in its initial form but includes directives that unleash malware on the target system.
This makes it harder to detect than traditional malware and enables criminal hackers to deliver one of several payloads, although ransomware it the most common.
Commenting on the report, Cofense Vice President and Chief Information Security Officer Tonia Dudley highlighted the increase in cyber attacks conducted by nation states.
Russia has been particularly active, with many attacks thought to be connected to the country’s invasion of Ukraine, with hackers retaliating against its political adversaries.
“The increase in nation-state attacks and major incidents overall continues to apply pressure to drive visibility of an organization’s security program by boards, corporate executives and cyber insurers,” Dudley said.
“With this pressure, organizations must continue to evaluate ways to mitigate risk and assess what email security controls need to be added or enhanced to raise their overall security posture.”
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.