Hackers Target Gullible YouTubers to Steal Passwords
More than half of all the emails that are sent and received every day can be classified as spam, and of those, quite a few are classic phishing scams – the ones that trick users into sharing their usernames and passwords with cybercriminals. As we'll see in a moment, from a technical perspective, organizing a phishing campaign is much easier than spreading malware, for example, and yet, we have solid evidence that the chaos that can be wreaked through a single set of stolen login credentials is pretty substantial.
The worst thing about phishing is the fact that it's difficult to protect yourself against it. For one, technology isn't especially helpful in this case. The spam filters do catch some of the scams out, but many slip through which, in itself, is hardly surprising considering the wide diversity of tricks and schemes the crooks come up with every day.
The same diversity makes education very difficult. You can tell users to look out for a certain scenario, and they'll probably manage to avoid it. Pretty soon, however, the phishers will pull another trick, and the trap will spring shut. The truth is, the only way to keep your passwords safe is to look out for the finer details that give every phishing scam away. To show you what we mean, we'll take a look at a recent phishing expedition aimed at YouTube channel owners.
Phishers go after YouTubers
One of the targets was Joy, a proud owner of a Tesla Model 3 as well as a a YouTube channel dedicated to it. Thankfully, instead of taking the bait and giving the crooks her login credentials, she ignored the instructions and used Twitter to warn fellow YouTubers about the danger.
ATTN: @YouTube creators @i1Tesla @LikeTeslaKim @tesla_raj @Model3Owners @BenSullins @marc_benton @TesLatino @Teslatunity (plz tag others you know of). I got this phishing email today from "email@example.com" asking for my password. DO NOT RESPOND & REPORT IT pic.twitter.com/GVWZ33YEMc
— Tesla Joy (@TeslaJoy) May 5, 2019
As you probably know, YouTube is owned by Google which means that the stolen password for the video sharing platform could also compromise data stored in the rest of the services operated by the search engine giant. In other words, the scammers were after a big loot, but they made a few crucial mistakes that tipped off the more observant users. Let's have a look at them.
You can always count on phishers making mistakes
On the face of it, there doesn't seem to be anything wrong with the email. The YouTube logo is where you'd expect to find it, and the text appears to be properly formatted. As soon as you take a closer look, however, you'll see many different discrepancies.
First of all, the subject of the email says "Youtube [sic] Support" which is rather vague and somewhat unusual. Then there is the sender address – "firstname.lastname@example.org". Although both Gmail and YouTube belong to the same company, a real YouTube support agent will never use a generic email address to contact you. What's more, in a second tweet, Joy noted that the scammers tried to get in touch with her through her business email, not the one she uses for logging in to her YouTube account. A real employee wouldn't do that.
Even if you disregard all this, as soon as you start reading the body of the message, you'll see that things just don't add up. The whole thing about evaluating an application might sound strange to the people who haven't applied for anything. The presence of typos is somewhat unusual, and the fact that whoever wrote the email doesn't seem to be entirely sure how YouTube should be capitalized is even weirder. Mind you, this is hardly surprising considering the fact that they managed to get the address of YouTube's HQ wrong. All in all, there's no shortage of clues that tell you pretty conclusively that you're looking at a phishing email. There is an even more obvious red flag, though.
No legitimate company would ask you to write down your password in an email and send it out. If you find one that does that, you should carefully think about whether you want to continue using its services.
These YouTube phishers were not professionals
All this goes to show that we're not talking about the most sophisticated group of phishers the world has ever seen. They made quite a few errors when they were preparing their scam, and they couldn't even be bothered to create a phishing page to make the scheme look at least a bit more convincing. The fact of the matter is, the next phishing email that lands in your inbox might be the work of people who know a lot more about what they're doing than these folks. That said, even the most seasoned scammers make mistakes. As we saw above, spotting them is a matter of treating every single email, especially the ones concerning your online accounts, with a healthy dose of suspicion.