Malicious actors are using deepfake videos impersonating YouTube’s CEO to steal users’ credentials in a multi-month phishing campaign.
The attackers sent private videos to targeted users via legitimate-looking emails, warning them that YouTube was changing its monetization policies.
“We’re aware that phishers have been sharing private videos to send false videos, including an AI-generated video of YouTube’s CEO Neal Mohan announcing changes in monetization,” the video-sharing platform warned.
The video requests targeted users to click on a link in the description to confirm “updated YouTube Partner Program (YPP) terms” to remain compliant, only to redirect them to a phishing site and steal their credentials.
Hackers use deepfake videos to steal YouTube credentials
The deepfake videos warned YouTube creators that their accounts would be restricted for seven days, preventing them from uploading new videos, editing old ones, or withdrawing their earnings if they failed to act promptly.
However, clicking the link redirects the victims to a malicious page studio.youtube-plus[.]com that requests them to sign into their YouTube account. Providing login credentials to the phishing site results in their compromise.
When users enter their login credentials, even fake ones, the page informs them that their account is now pending and further requests them to open the document in the fake video’s description.
“This attack follows the traditional phishing scheme, tricking victims into entering their credentials on a fake website, using a scare tactic to provoke a quick response and target their income,” noted Randolph Barr, CISO at Cequence. “What makes it different is the use of AI-generated video, likely a deepfake, which is harder to detect as technology has advanced.”
Although YouTube only began investigating the campaign in mid-February, attackers have been using deepfake videos to compromise accounts since late January.
When compromised the accounts are used to livestream cryptocurrency scams to unsuspecting YouTube users. However, the number of YouTube accounts compromised by the campaign remains unreported at the moment.
Meanwhile, YouTube has warned users to avoid clicking on links embedded in emails unless they trust the sender to avoid falling victim to phishing attacks.
“Many phishers actively target Creators by trying to find ways to impersonate YouTube by exploiting in-platform features to link to malicious content,” the company added. “Please always be aware and make sure not to open untrusted links or files!”
The video-sharing platform has also provided help resources to assist users in avoiding phishing attacks and a support assistant to help victims recover their compromised accounts.
YouTube has also warned users to avoid watching private videos as they could redirect them to “phishing sites that can install malware or steal your credentials.”
“YouTube and its employees will never attempt to contact you or share information through a private video,” Team YouTube’s Rob said. “If a video is shared privately with you claiming to be from YouTube, the video is a phishing scam.”
“This campaign is an example of the type of in-depth multi-layered phishing attacks that are possible today with the wide variety of tools and techniques available for threat actors,” warned Chance Caldwell, Senior Director of the Phishing Defense Center at Cofense. “In just one phishing attack, they combined the use of an AI video, the spoofing of sending addresses and URL domains, fake webpages for credential theft, and the hijacking of legitimate services for further malicious use.”
Subsequently, Caldwell advised organizations to be diligent in user awareness training and “continue to evolve their employee phishing training alongside the evolution of new phishing methodology.”
Deepfake videos increasingly used for cyber attacks
Hackers have long been interested in exploiting deepfake videos for malicious purposes. In 2022, Trend Micro researchers warned that threat actors had access to various tools for creating compelling deepfake videos on the underground market.
Most phishing kits also integrate deepfake capabilities, allowing malicious attackers to improve the success of their campaigns by impersonating prominent people to earn the victims’ trust. Trend Micro found that nearly two-thirds (64%) of consumers have seen deepfake videos, while over a third (35%) have experienced deepfake scams.
One such campaign on Meta impersonated cybersecurity expert Chris Sistrunk to promote a fraud electric device. Crypto scammers have also frequently used AI-generated Elon Musk videos to promote investment scams on X.
Besides targeting YouTube accounts, cybercriminals have also considered leveraging deepfake videos to bypass account verification processes that require face-to-face interaction.
