YouTube has become a significant channel for cybercrime
Social engineering threats – those which rely on human manipulation – account for most cyberthreats faced by individuals in 2024, according to Avast.
According to the latest quarterly Avast Threat Report, which looks at the threat landscape from January-March 2024, scams, phishing and malvertising accounted for 90% of all threats on mobile devices and 87% of threats on desktop. Moreover, the threat research team discovered a significant spike in scams leveraging sophisticated tactics such as using deepfake technology, AI-manipulated audio synchronization, and hijacking of YouTube and other social channels to disseminate fraudulent content.
Scammers have turned heavily to videos as lures
While all social media is a natural breeding ground for scams, YouTube has become a significant channel for crime. According to telemetry from Avast, 4 million unique users were protected against threats on YouTube in 2023, and approximately 500,000 were protected in January-March 2024.
Automated advertising systems combined with user-generated content provides a gateway for cybercriminals to bypass conventional security measures, making YouTube a potent channel for deploying phishing and malware. Notable threats on the platform include credential stealers like Lumma and Redline, phishing and scam landing pages, and malicious software disguised as legitimate software or updates.
Scammers have also turned heavily to videos as lures. Whether from stock footage or an elaborate deepfake, scammers are using all video varieties in their threats. One of the most widespread techniques involves exploiting famous individuals and significant media events to attract large audiences.
These campaigns often use deepfake videos, created by hijacking official videos from events and using AI to manipulate audio synchronization. These videos seamlessly blend altered audio with existing visuals, making it harder for the untrained eye to tell they’re anything but authentic.
Additionally, YouTube serves as a conduit to Traffic Distribution Systems (TDS), directing people to malicious sites and supporting scams ranging from fake giveaways to investment schemes.
Common scam tactics on YouTube
Phishing campaigns targeting creators: Attackers send personalized emails to YouTube creators proposing fraudulent collaboration opportunities. Once trust is established, they send links to malware under the guise of software needed for collaboration, often leading to cookie theft or account compromise.
Compromised video descriptions: Attackers upload videos with descriptions containing malicious links, masquerading as legitimate software downloads related to gaming, productivity tools, or even antivirus programs, tricking users into downloading malware.
Channel hijacking for scams: By gaining control of YouTube channels through phishing or malware, attackers repurpose these channels to promote scams – such as cryptocurrency scams – often involving fake giveaways that require an initial deposit from viewers.
Exploitation of software brands and legitimate-looking domains: Attackers create websites that mimic reputable companies that people trust and offer illegitimate downloadable software.
Social engineering via video content: Attackers post tutorial videos or offers for cracked software, guiding people to download malware disguised as helpful tools. This tactic takes advantage of people seeking free access to otherwise paid services or software, leveraging YouTube’s search and recommendation algorithms to target potential victims.
The growing business of Malware-as-a-Service (MaaS)
With scams surging, cybercriminals are capitalizing on a new business opportunity: MaaS. Through this model, organized crime groups are able to recruit smaller-scale criminals who want to make quick money by distributing malware on behalf of the group. These criminals can purchase malware, subscribe to it or share profits in a commission-style partnership.
The most common malware utilized in MaaS are information stealers, which are continuing to find new distribution channels. For example, DarkGate was observed to be spread via Microsoft Teams, using phishing. Lumma Stealer, another MaaS information stealer, continues to spread via cracked software propagated on YouTube, using fake tutorials to mislead victims. This further emphasizes that such strains – and their creators – never miss an opportunity to leverage social engineering to distribute malware.
“In the first quarter of 2024, we reported the highest ever cyber risk ratio – meaning the highest probability of any individual being the target of a cyberattack,” said Jakub Kroustek, Malware Research Director at Gen. “Unfortunately, humans are the weakest link in the digital safety chain, and cybercriminals know it. They pray on human emotions and the quest for knowledge to infiltrate people’s lives and devices for financial gain.”