Phishers are creating YouTube channels to document their attacks

Share this…

Phishing attacks have linked back to YouTube channels where phishers explain their attacks and promote their tools while looking for buyers.

Symantec recently discovered a phishing site for which didn’t seem particularly noteworthy at first. However, looking at the HTML source revealed an interesting comment from the attacker. The following figure shows a “brag tag” that details the name of the scam, “Scama Amazon 2016,” along with the attacker’s name, website, and even a YouTube channel.

Figure 1. Comment included in Amazon phishing scam’s HTML, including the attacker’s name, website, and YouTube channel

We see a huge variety of different phishing campaigns, everything from almost flippant phishing sites decorated with fish to sites using new, previously unseen AES encryption techniques. The “Scama Amazon” attack demonstrates another new wrinkle, with attackers promoting themselves within their own phishing attack.

Figure 2. Phisher’s YouTube channel

Code nour, the phisher’s YouTube channel, has only five subscribers and most of the videos have under 100 views at the time of writing. While not many people subscribe to the channel or watch the videos, the few that do are keen and enthusiastic. Comments on the videos include praise (“Nice work bro”), along with requests to create phishing kits that they can use for their own attacks.

The videos on the channel show walkthroughs of the phisher’s convincing-looking phishing kits.

Figure 3. Video walkthrough of phishing kits from code nour

Figure 4. Video walkthrough of phishing kits from code nour. The inclusion of localhost in the address bar indicates that it is running on the phisher’s own computer.

Another video showcases a brute force tool used to find PHP web shells or back door scripts on servers. The video suggests that it tries over 1,000 possible common shell names.

Code nour isn’t the only phisher with a YouTube presence. Another phisher’s video shows his desktop, complete with an arsenal of tools, including a SOCKS proxy and VPN clients. We normally expect this kind of activity to take place on secretive underground forums, so it’s surprising that phishers are so brazenly, and publicly, publishing this material on YouTube.

This completely open trade in phishing knowledge and tools shows the scale of today’s phishing problem. With more and more aspects of our lives being managed online, we expect phishing to increase.

To protect against phishing attacks, Symantec recommends users adhere to the following best practices:

  • Use two-factor authentication when possible
  • Do not click on links in messages from unknown senders
  • Use security software and keep it up to date

Symantec Email, Symantec Messaging Gateway, and Symantec Messaging Gateway for Service Providers customers are protected through our advanced URL analysis and intelligence.