Go to listing page

New Phishing Email Alert: Watch for YouTube Link in the Attachments

New Phishing Email Alert: Watch for YouTube Link in the Attachments
  • When a user hovers their mouse over the “View File” URL, they see a seemingly-legitimate embedded YouTube link.
  • The fake Sharepoint page appends the user email id within the URL.

Cybercriminals were spotted using YouTube redirect links to evade phishing email detection.

What happened?
A group of researchers alerted on the rise in phishing emails that embed YouTube redirect links, whitelisted through various security defense mechanisms.

  • The emails using this method originated from a fraud—and recently registered—domain sharepointonline-po[.]com.
  • Researchers disclosed that the attackers purported to be with Microsoft’s SharePoint.

Researchers wrote, “Most organizations allow the use of platforms such as YouTube, LinkedIn, and Facebook and whitelist the domains, allowing for potentially malicious redirects to open without any fuss.”

How does it work?
Attackers’email from the fake domain would indicate that a new file has been uploaded to the target company’s SharePoint site, with an option to “View File.”

  • When a user hovers their mouse over the “View File” URL, they see a seemingly-legitimate embedded YouTube link.
  • Clicking on the URL redirects to YouTube, and then jumps to another URL  (companyname[.]sharepointonline-ert[.]pw) — the actual phishing landing page.

Chances are that the email may appear illegitimate to company employees but anyone curious about visiting a YouTube link may just click on it.

About the phishing page
As per researchers, each of the fraud domains were quickly registered with Namecheap (could be the work of bots).

  • The phishing landing page was hosted on a Google platform (googleapis.com), to make it appear legitimate.
  • The fake Sharepoint page appends the user email id within the URL, automatically populating the login box with the account name. 
  • Since the login page is controlled by the attackers, it sends the victim's credentials back to their C2 servers.

Bottom line
Cyberattackers continue to raise the stake for researchers when it comes to distinct yet innovative phishing attack methods. 

Nowadays, the bad actors can be seen tapping into the panic around the coronavirus under various schemes including spear-phishing emails, coronavirus spread maps, and more. They even counterfeited HIV test results to convince to-be victims to hand over their credentials.
Cyware Publisher

Publisher

Cyware