Last year I took a first look at a phishing campaign that was interestingly targeting YouTube channel owners’ email addresses. The aim of the campaign was to guide people to fake YouTube sign in page and phish their login credentials. Note, this did not target YouTube accounts in general, but actual channels. These were my main findings:
- Despite being hilariously obvious, first four of these were not caught by ProtonMail’s spam filter
- Out of several YouTube channels I manage, only one has been targeted
- Same email was CC’d to others
- Unclear where they have found my email address
- Senders’ email service providers started as Russian. Little to no typosquatting involved.
- After few iterations, phishing content seems to have reached its final form (for now)
The campaign came in a burst, stopping as suddenly as it had started. Now after a couple of months it has started again, and it’s time to re-examine what has changed.
#1 Failed domain authentications everywhere
There’s one new faked From field – “Google Adsense” – but the senders’ addresses are still not convincing. In fact, they’ve turned even more random, and include only Gmail addresses this time. I guess “Gmail.com” seems more convincing than previous “Zohomail.eu” or “Mail.ru”! All of these were caught by ProtonMail’s spam filter and failed domain authentication requirements.
From – Address – Provider:
- YouTube – yt.warning.1 – gmail.com
- Google Adsense – yt.sup.4 – gmail.com
- YouTube – tapeyiteve356356 – gmail.com
- Google – gaceronafidapatehi780780 – gmail.com
- YouTube – ednagara123 – gmail.com
- YouTube Support – MabelBadi – gmail.com
- Google Adsense – Joannalhemina1555 – gmail.com
- YouTube – ykimball16 – gmail.com
Other notable changes include complete lack of the mysterious “control/controller” theme that was popping up in the previous round of these emails.
#2 New year, new lies
Whereas the previous burst of emails revolved around variations of “We’ve received a complaint that your channel has lots of spam videos” and almost all of them shared the same subject line “Warning”, this new batch is more varied. Makes sense that the adversaries would try different baits to lure people in. Two out of eight new emails still carried that old message though.
New lies didn’t include just new themes, but also new threats! Previously they all ended in “…or your channel will close in 24 hours.” Here’s a rough breakdown of the new angles that are used:
- “Please accept our new terms of service by clicking on the link below.”
- Weirdly enough if you wouldn’t accept, you’d not lose your channel but just “the monetization feature”.
- “Invalid click activity detected on your YouTube channel.”
- Again striking where the money is, emails with this content are sent by “Google Adsense” and therefore threaten to shut down your channel AND Adsense account.
- “It’s been detected that you’ve logged into your YouTube channel from too many different devices.”
- It really grinds my gears when a phishing message is disguised as a security notification. Threat is again account suspension.
- “Some videos you recently uploaded to your channel have been flagged as inappropriate.”
- Account suspension. Email CTA is “Click here to edit”. I’m not sure if YouTube sends these types of email at all.
#3 New short URLs
Several of the email CTAs point to a rplg.co address, which seems to be provided by replug.io service. I don’t think people at replug has phishing in mind when they wrote “Shorten, track and optimize your links with catchy call-to-actions, retargeting pixels, branded links and powerful analytics“. It’s a paid service, but they do offer a free trial if you register. As I’m focusing on these phishing emails themselves, I’m not going to analyze those landing pages further.
#4 Changes in schedule
Most emails seem to have come during the latter part of any given week, whereas previously they came during the first halves. This might have nothing to do with anything, as it takes a long time to send a lot of email out, so it can definitely just be a coincidence.
Sending times were between 9:50 and 20:48 UTC+2, so roughly speaking during daytime. Last fall all of the emails came during nighttime.
Also funnily enough, the first email of this year, sent January 3, still had “©2019 Youtube” in the footer. This was fixed by January 6.
#5 Size matters
Perhaps bigger is not better when sending out massive amounts of email? This time around the sizes varied between 979 bytes to 1.6 KB. Not a single attachment either with this new batch. Scalability is key, in criminal activities as well!
That’s it for this time, folks! Previously I theorized that the campaign might target only monetized channels, but the evidence was inconclusive. This time the new types of messages seem to reinforce that theory though. I’ll keep monitoring how this campaign evolves and if it finally starts targeting other channels that I have access to as well.
Thanks for reading!