This post is also available in:
עברית (Hebrew)
In recent years, more and more individuals are deciding to pursue online content creation as a full-time job, with companies paying them a good fortune for advertising their products to their audience. Now, a new malicious campaign is targeting YouTube creators, using advanced automation to send phishing emails disguised as promotional partnership offers. Researchers from CloudSEK, a threat analytics platform, have uncovered the widespread attack, which is affecting over 200,000 YouTubers globally.
The threat actor behind the campaign has created a sophisticated infrastructure using 340 SMTP servers. Each server sends between 500 to 1,000 phishing emails, impersonating well-known brands and offering lucrative promotion deals to YouTube creators. These emails typically offer compensation based on the creator’s subscriber count in exchange for a 15-second advertisement placement in future videos. However, hidden within these “business offers” are attachments containing malware.
The emails often include Word documents, PDFs, or Excel files that appear legitimate but are infected with malware downloaders. To avoid detection, the attacker hosts these malicious files in password-protected ZIP or RAR archives on trusted platforms like OneDrive, making it seem as though the links are safe. Once victims click on these links and download the files, they inadvertently install the Lumma Stealer malware.
Lumma Stealer is a powerful infostealer that enables cybercriminals to capture sensitive information, including login credentials and financial data. Additionally, it allows the attacker to gain remote access to the infected systems, leading to further exploitation, explains the analyst at CloudSEK. The malware is capable of bypassing antivirus programs, with the executable file “Digital Agreement Terms and Payments Comprehensive Evaluation.exe” already flagged as malicious by 48 antivirus vendors, according to Cybernews.
The attackers are using extensive automation to streamline their operations. They utilize a parser to gather email addresses from YouTube channels, targeting both individual creators and organizations. By employing tools like Browser Automation, the threat actor efficiently sends bulk phishing emails from temporary email accounts. The campaign also makes use of over 26 network proxies (SOCKS5) to hide their traffic, and more than 46 Remote Desktop Protocols (RDPs) to obscure their activities.
YouTube creators are advised to be cautious of unsolicited offers, especially those with attachments or links to external platforms.
