YouTube as a cover

In some exotic countries, there are beetles that feed on ants and use their exoskeletons to build a camouflage on their backs for disguise. What do Acanthaspis petax insects and spam operators have in common? Both cover their activities with multiple exoskeletons or dummy accounts for hunting and evading predators, or anti-spam systems.

We they told how scammers learned to send phishing messages, hiding behind Google Looker Studio. And now, a few months later, the attackers managed to “tame” another Google service – YouTube. Letters allegedly from the video hosting service began to arrive en masse to the addresses of employees of Russian companies. Inside the messages was a discussion of a video with an offer of instant earnings through a large investment platform. However, there is a nuance: the senders of these letters only want to profit from the most gullible recipients of the letters. How spammers learned to use the popular video hosting service to distribute fraudulent content, and what are the ways to combat the new technique of the attackers, tells Anton Afonin, Head of Network Traffic Analysis and Machine Learning Department at FACCT.

Suspicious emails from YouTube

In May, FACCT specialists used an automated email security system Business Email Protection recorded mass spam mailings allegedly from YouTube to the email accounts of employees of large companies in Russia. The letters contained a message from the video hosting service that a response had been left to one of the comments on a certain video. The title of the video in the letters announced a “new project from a famous fin-brand.”

Fig. 1. Screenshot of one of these letters

Fig. 1. Screenshot of one of these letters

The recipient of the message had nothing to do with either the video in the email or the comment left. Furthermore, the name displayed in the email did not match the recipient's name.

On the one hand, such a discrepancy should seriously alert the user who received the letter. However, this detail may not be noticed, or curiosity may force the potential victim to follow the link and view the sent content. Namely the victim, because all this is part of a well-thought-out fraudulent scheme.

Is this really a scam?

Let's follow the link from the video description. At the beginning, we are greeted by a simple captcha, in which we need to calculate the simplest arithmetic expression.

Fig. 2. Captcha at the entrance to the resource

Fig. 2. Captcha at the entrance to the resource

Yes, it is a completely normal practice to protect your resources with a captcha. However, if you look closely at this form, you will notice that the expression does not change when the page is refreshed. And the source code gives a clear and unambiguous answer to the question of why this happens:

Fig. 3. Captcha source code

Fig. 3. Captcha source code

The expression is simply “hardcoded”, and the script always checks that “16” is entered in the input field. This site needs captcha not to protect against attacks, but to hide further content away from the eyes of information security systems that automatically analyze the content of pages via links placed, for example, in emails.

Then the classic infoscam continues. After the captcha, we will be greeted by a script with a survey that determines the financial situation, which will end with a form for entering personal data. Some time after filling out the form, a “specialist” contacts the potential “client”, who will introduce himself as a personal manager and help the new client open an account and take the first steps. All the money that the client transfers to this account in order to “start earning” will end up in the hands of scammers.

Fig. 4. Feedback form on a scam resource

Fig. 4. Feedback form on a scam resource

Analysis of the mailing mechanism

How did spammers manage to hide behind YouTube to send potentially dangerous content? Please note: The following description is provided for research purposes only.

In fact, the platform does not even suspect that the presented letters were sent on its behalf, and the algorithm of the attackers’ actions was as follows:

  1. Spammers registered a new YouTube channel and posted several videos on it on various topics. This is necessary in order to give the channel a natural look and remove it from the suspicions of the platform's algorithms. In addition to “gag collections” and videos with animals, the authors of the channel published a video “NEW PROJECT ..” The link to this video was in one of the letters we reviewed.

Fig. 5. YouTube channel for distributing links to the attackers' website

Fig. 5. YouTube channel for distributing links to the attackers' website

  1. Next from another account, let's call it User #2they left a comment under the said video.

  2. Then from the third account, let's call it User #3spammers responded to the comment. Then they closed the comments to the video.

  3. As a result User #2 received a notification letter from the YouTube platform containing a link to the video and information that a response had been given to the comment he had left under the video. In the letter we reviewed, User #2 was named after Natalia Kozhevnikova. This letter was indeed generated by YouTube and contained the correct DKIM signature of the video hosting service:

  1. The spammers began to send the resulting email en masse from their servers to users whose addresses were on the mass mailing lists.

The mailing is not related to any vulnerability of the YouTube platform or any loophole in its algorithms, as was the case with Looker Studio. In this case, the service only ensured the receipt of one genuine letter, which was subsequently sent out en masse from the spammers' own servers.

Detecting mailings.

The danger of the mailing is that the letter contains a DKIM signature from YouTube.com, which allows you to confirm its originality. Indeed, this is a genuine letter, composed and sent by YouTube algorithms, but its content contains a link to potentially dangerous content.

Of course, it is possible to recognize such mailing. The fact is that letters from YouTube can be sent from a limited number of servers belonging to Google. The sender's email address should always indicate this. In our example, the sender's email address had nothing to do with YouTube. Moreover, the attackers tried to replace their email box with the email address of a well-known business literature publisher by spoofing. Checking the sender's server reputation in the system FAC.S.T. Business Email Protection showed that his IP address had already been noticed in spam mailings and was included in several blacklists.

Well, the last but not least condition. Each letter contains the date of formation (sending). And this is one of the fields signed by the DKIM signature. Attackers cannot change the date initially set in the letter, since after that the DKIM signature will need to be generated again, which they cannot do. Therefore, the actual date of receipt of such a letter may differ greatly from the date of its sending. In the given example, the “gap” was more than a day.

All of these signs of spam mailing are detected by the FACCT BEP email protection system, preventing attackers from delivering emails with unwanted content and protecting the infrastructure from such a widespread and relevant attack vector.

But even with the most reliable and modern email security systems, always remember the rules of digital hygiene and don’t let yourself be misled.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *