10 hours Ago
YouTube copyright strike warning used in malware campaign. YouTube users are no strangers to security warnings as attackers use everything from faked private video messages from the CEO to the lure of game cheats for Fortnite and Call of Duty as bait to steal passwords and compromise accounts for nefarious use. Now researchers at Kaspersky have revealed a new attack campaign specifically targeting YouTube users on the Windows platform and employing a three copyright strikes and you are out tactic in order to further a malware distribution operation.
Here’s what you need to know. When talking about cyber attacks, hackers, fraudsters and criminals of all kinds are using increasingly sophisticated , often AI-driven, methods to ensure success. But ultimately, such attackers are creatures of opportunity and look to employ whatever methods stand the most chance of fooling the victim into clicking a link, following a malicious instruction, doing something they wouldn’t ordinarily do unless they were being pressured into fixing a perceived problem of some kind.
And so it is with this latest campaign that employs a combination of YouTube account content copyright strike warnings and the availability of tools to bypass access restrictions. A March 5 report by Leonid Bezvershenko, a security researcher with Kaspersky’s Global Research and Analysis Team, along with help from Kaspersky experts Dmitry Pikush and Oleg Kupreev, detailed how the intersection of using Windows Packet Divert drivers to bypass blocks and access restrictions, with copyright strike notifications, is being employed to distribute cryptomining malware using YouTuber creators as the conduit. “We recently uncovered a mass malware campaign infecting users with a miner disguised as a tool for bypassing blocks based on deep packet inspection,” said; “One of the infection channels was a YouTuber with 60,000 subscribers, who posted several videos with instructions for bypassing blocks, adding a link to a malicious archive in the description.
” Those YouTube videos were determined to have exceeded 400,000 views before the link was removed and replaced with a “program does not work” message. It appears that, in this campaign at least, the attackers appear to claim that they are the owners of the access restriction bypass tool that a YouTuber has featured in a video, and file a copyright claim accordingly. They then contact the YouTube account holder, warning them of the three strikes and you are out copyright violation policy, and offer a “solution” by way of “allowing” them to include a download link to the tool that they will provide.
It has also been noted that, in some cases, the attackers contacted the YouTube creator directly and, still posing as the tool developer, informed them of an update and provided the link for inclusion in their videos. Of course, these links lead to malicious versions of the tool, ones that actually download crypto miner malware instead. The identified campaign limited itself to distributing a cryptocurrency miner.
However, as Bezvershenko concluded, “threat actors could start to use this vector for more complex attacks, including data theft and downloading other malware.” The message to YouTube viewers is clear: don’t download software from links in YouTube videos or video descriptions. I have reached out to YouTube for a statement.
.
