Security researchers at Proofpoint have uncovered cybercrooks advertising and distributing phishing kits, that come with how-to videos and links to additional information, to wannabe hackers via YouTube. The catch however is that the advertised kits come with a secret backdoor that sends all the phished data back to the author. IT security experts from Redscan and AlienVault commented below.
Leon Pinkney, SOC Services Director at Redscan:
“Increased competition amongst cyber criminals has led to commercial malware being peddled beyond just underground channels. Social media and other content distribution sites offer criminals a way of promoting their services to the masses and more clearly needs to be done to filter out this type of content. How ironic that the template analysed in this instance has been engineered to share the results of every phish. The criminals themselves may find that their efforts are quickly exploited by perpetrators higher up the chain.
The huge availability of malware aimed at to ‘script kiddies’ underlines the need for businesses to improve employee cyber education and adopt a proactive approach to detecting wide-ranging threats.”
Javvad Malik, Security Advocate at AlienVault:
“The YouTube comment section is notoriously bad, not just in the tastefulness (or lack thereof) of the majority of comments, but also with fake accounts masquerading as popular youtuber accounts leaving comments with malicious links.
So, in that regard it’s not a new channel – although posting the video itself and leaving it in the description would seem to add credibility.
There have been recent instances where third party app store abused Apple’s developer enterprise program to serve adware. Often promoting repackaged apps in social network channels such as Youtube, Facebook, Google+, and Twitter. https://otx.alienvault.com/pulse/57d8a64828c09f00c55daa2d/
We’ve seen other examples such as Twitoor – which is a backdoor that receives its commands from a specified twitter account. In effect turning twitter into a command & control server.
Other examples of abuse across social networks include hashtag hijacking to insert into commentary, using social as a phishing channel, or even brand / person impersonations.
Blocking access to social media wholesale is often not practical for most enterprises. So the best defences would be to educate users into the dangers of clicking on unverified links (especially shortened ones) and of downloading unauthorised apps.
The other step enterprises can take is to have reliable and up to date threat intelligence that can be used to detect any signs of compromise at the earliest stages. That way, if an internal machine starts up a communication with a known C&C server, or exhibits other activity consistent with indicators of compromise, it can be stopped before becoming a major incident.”