Scammers advertise backdoored phishing templates on YouTube

Pierluigi Paganini November 27, 2016

Security experts from Proofpoint firm observed scammers exploiting YouTube to promote their backdoored phishing templates.

According to experts from the security firm Proofpoint, scammers are advertising on YouTube backdoored phishing templates offering also “how-to” videos and manuals.

It is not a novelty, cyber criminals are switching on legitimate websites to propose their products and services.

Proofpoint researchers have observed scammers distributing phishing templates and related kits via YouTube, a query for “paypal scama” returns over 114,000 results.

The kits offered for sale through YouTube include a backdoor that automatically sends the phished information back to the author.

“A simple search for “paypal scama” returns over 114,000 results. There’s a catch, though, for criminals downloading the software: a backdoor sends the phished information back to the author. While backdoors on these templates aren’t new, the use of YouTube to advertise and distribute them is a new trend.” reads a blog post published by Proofpoint.

The videos show the appearance of the templated and provide instruct to the potential buyers on how to steal information from the victims with phishing attacks.

The post shows as an example of these malicious kits, an Amazon phishing template that replicates the legitimate login page of the popular website.

The researchers downloaded one of the kits advertised on YouTube and analyzed it discovering that the clumsy scammer left his Gmail address hardcoded in the template alongside with an email address used to receive the stolen credentials from the template.

youtube phishing templates

The researchers also analyzed a template for PayPal scammers that was improved to avoid suspicion.

“In this PayPal scam, the author attempts to avoid raising suspicions by adding a PHP include for a file called style.js just before the PHP “mail” command is used to ship off the stolen credentials.” reads the analysis.

The researchers noticed that many videos have been posted for months, a circumstance that suggests the lack of filtering mechanisms implemented by YouTube.

“Many of the video samples we found on YouTube have been posted for months, suggesting that YouTube does not have an automated mechanism for detection and removal of these types of videos and links. They remain a free, easy-to-use method for the authors of phishing kits and templates to advertise, demonstrate, and distribute their software,” states Proofpoint.

Stay Tuned.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – phishing templates, cybercrime)

you might also like

leave a comment