YouTube Becomes Latest Battlefront for Phishing, Deepfakes

YouTube has turned into a new front for malicious actors to deploy phishing, other malware, and bogus investment schemes, according to a report from researchers at security vendor Avast.

The researchers specifically homed in on Lumma and RedLine — especially regarding phishing, scam landing pages, and malicious software. YouTube acts as a traffic distribution system, directing users to these malicious sites and pages, supporting scams of varying severity.

In addition, deepfake videos are on the rise on the video platform, misleading viewers with realistic but fake people or events and spreading disinformation. Avast found multiple accounts with more than 50 million subscribers each that were compromised and hijacked to spread cryptocurrency scams reliant on deepfake videos. These videos include fake comments to deceive other viewers and contain malicious links.

Researchers observed five different ways YouTube can be exploited by threat actors. Personalized phishing emails to YouTube creators propose fake collaboration opportunities intended to gain the creator's trust before sending malicious links. Bad actors also use compromised video descriptions containing malicious links to trick users into downloading malware. They further resort to hijacking YouTube channels and repurpose them to spread other threats, such as cryptocurrency scams.

Researchers also observed exploitation of software brands and legitimate-looking domains with fraudulent websites loaded with malware. The attackers created videos using social engineering techniques that guide users to allegedly helpful tools that are actually malware disguised.

Avast credits its own scanning capabilities with protecting more than 4 million YouTube users in 2023 and approximately 500,000 users in the first quarter of this year.

Trevor Collins, WatchGuard Network security engineer, emphasizes the importance of companies and security leaders preparing their teams and organizations for these kinds of threats.

"Regular education is essential. Make people aware that there are scammers out there doing this," Collins says. "In addition, train and reassure them that it's OK to notify either their security team or other people within the company if they've gotten an unusual request — for instance, to provide login credentials, move money, or go buy a bunch of gift cards — before acting on it."