X-Industry

Bad YouTube Links

Posted by Bill Schenkelberg on April 12, 2023 at 7:40am

11026499476?profile=RESIZE_400xAttackers have been abusing legitimate YouTube attribution links and a Cloudflare CAPTCHA to evade detection.  Cybersecurity company Vade said the use of YouTube attribution links was a new tactic for bypassing email filters scanning for suspicious redirects.

In a newly discovered phishing campaign, victims receive a spoofed email saying their Microsoft 365 password has expired. The email is personalized and contextualized to create an illusion of legitimacy.  Vade researchers noted that the email doesn’t contain misspellings or grammatical errors, which used to be a first telltale sign of a scam.[1]

Below the notice of the allegedly expired password, there’s an option for the victim to keep their current password.  The button, hyperlinked to a YouTube URL, eventually redirects users to a phishing page.  “If users click the button in the phishing email, it quickly redirects them to Youtube first.  And then to a webpage that features a Cloudflare CAPTCHA.  The odds are that the webpage is hosted on Cloudflare and uses the URL crawling and bot protections,” Vade said.[2]

Once users click the CAPTCHA, they are presented with a bogus Microsoft 365 page requiring them to sign in, which allows threat actors to harvest their credentials and take over accounts.  “Hackers try to use legitimate services to spread phishing to bypass classic email security solutions based on reputation. They are taking advantage of both Youtube and Cloudflare, both of which are potentially whitelisted on many email gateways,” Vade said.  The company has observed over 1,000 emails in the last month.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com            

Weekly Cyber Intelligence Briefings

  • Reporting: https://www. redskyalliance. org/
  • Website:        https://www. wapacklabs. com/
  • LinkedIn:       https://www. linkedin. com/company/64265941    

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989   

[1] USSS-NH share 04082023

[2] https://www.mirror.co.uk/tech/youtube-fake-gmail-message-alert-29637249

Views: 71
Tags: tr-23-101-001, youtube, vade, links, url crawling, captcha
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!