November 26, 2016
YouTube is the most recent platform used by cybercriminals to sell and distribute their tools, but it turns out that not even hackers can trust their fellow “colleagues.”
Security company proofpoint has discovered a recent campaign that involves selling phishing kits and tools that come with a backdoor which can send back all the phished information to the seller.
Specifically, cybercriminals are selling software on YouTube, promising to help wannabe attackers launch phishing attacks. And although these kits are efficient and can indeed be used in phishing attacks, they also include backdoors that collect the phished data and send it to the seller. It’s cybercriminals hacking cybercriminals.
“When we decoded the sample, we found that the author’s Gmail address was hardcoded to receive the results of the phish every time the kit was used, regardless of who used it,” proofpoint says after inspecting one of the phishing kits. “In this same kit, we also found a secondary email receiving the stolen results. It is unclear if this is the same author as the first or if someone else added it and then redistributed the kit.”
YouTube not yet removing these videos
Surprisingly, these kits have been available on YouTube for many months now, and Google’s video-sharing service doesn’t seem to feature a detection system that could help automatically remove the links.
Most of the videos include tutorials or demos, and come with links in the description that lead to websites containing more information and purchase details.
“The old adage of ‘honor among thieves’ should be taken with a grain of salt, since multiple samples revealed authors including backdoors to harvest phished credentials even after new phishing actors purchased the templates for use in their own campaigns. The real losers in these transactions, though, are the victims who have their credentials stolen by multiple actors every time the kits are used,” proofpoint concludes.