Social engineering threats account for most individual cyber threats, according to the latest quarterly Avast Threat Report, which examines the threat landscape from January to March 2024. It found scams, phishing, and malvertising accounted for 90% of all threats on mobile devices and 87% of desktop threats.
Avast’s threat research team discovered a significant spike in scams leveraging sophisticated tactics such as deepfake technology, AI-manipulated audio synchronisation, and hijacking YouTube and other social channels to disseminate fraudulent content.
“In the first quarter of 2024, we reported the highest-ever cyber risk ratio, meaning the highest probability of any individual being the target of a cyberattack,” said Jakub Kroustek, Malware Research Director at Gen. “Unfortunately, humans are the weakest link in the digital safety chain, and cybercriminals know it. They pray on human emotions and the quest for knowledge to infiltrate people’s lives and devices for financial gain.”
YouTube has become a significant channel for crime. According to Avast telemetry, four million unique users were protected against threats on YouTube in 2023, and approximately 500,000 were protected between January and March 2024.
Automated advertising systems combined with user-generated content provide a gateway for cybercriminals to bypass conventional security measures, making YouTube a potent channel for deploying phishing and malware. Notable threats on the platform include credential stealers like Lumma and Redline, phishing and scam landing pages, and malicious software disguised as legitimate software or updates.
Scammers have also turned heavily to videos as lures. Whether from stock footage or an elaborate deepfake, scammers use all video varieties in their threats. One of the most widespread techniques involves exploiting famous individuals and significant media events to attract large audiences. These campaigns often use deep fake videos created by hijacking official videos from events and using AI to manipulate audio synchronisation. These videos blend altered audio with existing visuals, making it harder for the untrained eye to tell they’re anything but authentic.
Additionally, YouTube serves as a conduit to Traffic Distribution Systems (TDS), directing people to malicious sites and supporting scams ranging from fake giveaways to investment schemes.
Some of the most common tactics through which YouTube is exploited for scams include:
- Phishing campaigns targeting creators: Attackers send personalised emails to YouTube creators proposing fraudulent collaboration opportunities. Once trust is established, they send links to malware under the guise of software needed for collaboration, often leading to cookie theft or account compromise.
- Compromised video descriptions: Attackers upload videos with descriptions containing malicious links, masquerading as legitimate software downloads related to gaming, productivity tools, or even antivirus programs, tricking users into downloading malware.
- Channel hijacking for scams: By gaining control of YouTube channels through phishing or malware, attackers repurpose these channels to promote scams – such as cryptocurrency scams – often involving fake giveaways that require an initial deposit from viewers.
- Exploitation of software brands and legitimate-looking domains: Attackers create websites that mimic reputable companies that people trust and offer illegitimate downloadable software.
- Social engineering via video content: Attackers post tutorial videos or offers for cracked software, guiding people to download malware disguised as helpful tools. This tactic takes advantage of people seeking free access to otherwise paid services or software, leveraging YouTube’s search and recommendation algorithms to target potential victims.
With scams surging, cybercriminals are capitalising on a new business opportunity: malware-as-a-service (MaaS). Through this model, organised crime groups can recruit smaller-scale criminals who want to make quick money by distributing malware on behalf of the group. These criminals can purchase malware, subscribe to it, or share profits in a commission-style partnership.
The most common malware utilised in MaaS are information stealers, which continue to find new distribution channels. For example, DarkGate was spread via Microsoft Teams, using phishing. Lumma Stealer, another MaaS information stealer, continues to spread via cracked software propagated on YouTube, using fake tutorials to mislead victims. This further emphasises that such strains – and their creators – never miss an opportunity to leverage social engineering to distribute malware.
