Proofpoint has warned home computer users not to fall for a new campaign trying to trick them into clicking malicious links in the descriptions of YouTube videos.
Security vendors have detected infostealer malware such as Vidar, StealC, and Lumma Stealer delivered via their platforms. It was disguised as pirated software or cracked video games and was distributed along with legitimate-looking content.
“While the video is intended to show end users how to do things like download software or upgrade video games for free, the links included in the video description lead to malware,” Proofpoint said. explained.
“Many of the accounts hosting malicious videos appear to have been compromised or obtained from legitimate users, but researchers believe they were created solely to deliver malware and only lasted a few hours. We are also observing accounts that are not active and are likely created and managed by attackers.”
Read more about YouTube threats: Information thieves spread via AI-generated YouTube videos
The vendor notified YouTube of more than 20 accounts and videos designed to distribute malware in this way, which the video platform giant has since removed.
Proofpoint said many of the games used as decoys were intentionally chosen because they are popular with children, allowing attackers to target people who are less likely to follow online safety best practices. They say it shows they are trying to deceive.
They may also have used automated bots to inflate the number of views on these videos, making them appear more legitimate.
MediaFire and Discord links were commonly used to connect victims to information-stealing malware, Proofpoint added.
The campaign featured “multiple distinct clusters of activity,” and Proofpoint was unable to track activity against any single threat group.
“However, the techniques used were similar, including the use of video descriptions to host URLs leading to malicious payloads, providing instructions to disable antivirus, and creating bloated videos attempting to evade detection. “This includes the use of similar file sizes.”
“Based on similarities in video content, payload delivery, and deception techniques, Proofpoint assesses that attackers consistently target non-enterprise users.”
Image credit: Chubo – My Masterpiece / Shutterstock.com
