Evgen verzun
Blog
May 22, 2020
Why Youtube Is a Good “Crutch” For Carrying Out Cyberattacks
“The user’s going to pick dancing pigs over security every time” – Bruce Schneier, American cryptographer, computer security professional, privacy specialist, writer.
If the users want to see dancing pigs, I bet they would look them up on Youtube.
They would not be disappointed either, as they could find some adorable videos. “Little pig dancing ‘Work’” deserves a special shout out, for one. I will not share a link to that video because that would mean losing you to a wormhole of heart-warming content, plus clicking on links is kinda dangerous, according to rumors.
One thing is dead certain though, and not a rumor – humor is one of the better ways to predispose someone to yourself or, in the context of cyberattacks, to actions that would be beneficial to the attacker. Fun can truly be weaponized in multiple ways, and in this blog post, we will review them.
But first, let me share an opinion on why entertainment is so underrated in cyberattacks.
Factors of Susceptibility to Attacks Requiring User Interaction
One of the most well-known attacks requiring action from the user is phishing.
Some can call it the bread-and-butter of cybercriminals, a relatively easy and effective way to acquire private information from unsuspecting victims. When everything else fails, or someone can’t do anything else, phishing comes to aid.
Looking at all the recent trends in phishing email themes, a certain five-letter abbreviation would take the top spots. It is situational, relevant, and it interests people. The topic is quite effective, but it wears out much faster and doesn’t have the legs to stay long-term. It also doesn’t cover all the factors of phishing susceptibility.
According to research called “Which Phish Get Caught?” personality factors that may influence phishing susceptibility are curiosity, entertainment drive, boredom, and lack of focus. Phishing built on fear and urgency has absolutely nothing on the value of feeling good, and that makes it less effective because people prefer to feel good and are more likely to make decisions that will make them feel good, and those are quite often not the ‘right’ choices.
It is obvious, but not everything has to be complicated.
Entertainment is Effective, Flexible and Underutilized
Think about it, people are more likely to risk it for a “biscuit”, that takes a form of pirated movies and games, music, books, whatever else.
Instead of reacting to something, people make a conscious decision to get that content. We are more willing to push the risk boundaries when deciding to get it too. In my opinion, entertainment is the better “crutch” for mass attacks. But it can also be used effectively even in the corporate setting.
Not so long ago there was news about a way to extract user credentials from Microsoft Teams just by uploading a GIF file. Don’t know about you, but when I think of GIFs, those are quite often sent out for entertainment purposes, and I feel like even when knowing about the threat, more people would react to multimedia, and not plain text too.
According to Symantec’s 2019 Internet Security threat Report, Lifestyle (15%), and Entertainment (7%) were the most frequently seen categories of malicious apps, which proves the point to some extent.
If we come back to Youtube, we will have to agree that it covers the aforementioned factors of susceptibility effortlessly. Boredom feeds the lack of focus and fuels entertainment drive, thus putting curiosity as a priority in decision making. Simply put, Youtube is your go-to place when you experience any of those symptoms. And of course, there’s trust. People trust Youtube and do not associate it with cyberattacks as much as they would with Gmail, for example.
I think now that I’ve stated the obvious and came slightly off-topic, it’s time to pick out what types of attacks can wait for you on the biggest video platform.
5 Examples of Youtube Being Fit-for-Attacking Purpose
If we were to continue dabbling in the topic of phishing while moving closer to the topic of Youtube, it would be fitting to highlight how the more popular content creators can lose their channels.
While consumers-like susceptibility factors remain, there are more things to exploit to phish online celebrities. Ego play! In one of the more recent phishing campaigns discovered by Sucuri’s Remediation team, the attackers used “YouTube’s Creator Awards” theme to get the attention.
Phishing is not a surprise, but what else makes Youtube so great for cyberattacks?
- The URLs of this platform are often used for the obfuscation of malicious links that would download malware for the oblivious user.
- Because platforms like YouTube and LinkedIn are whitelisted in many companies, attackers use them to deliver phishing pages via redirects to bypass security gateways.
- YouTube has an abundance of recognizable and influential personalities that can be impersonated. Not to get some viewing numbers – but to promote scams or plant “free giveaway promotions” ads that would attract the content creator’s fanbase.
- Youtube channel description section can be used to hide command and control server details. Channel descriptions can be used for cryptominers and banking malware.
While watching actual videos is pretty safe, interacting with malicious links that offer you a full version of the video, or any other ‘extra’ content, is always a risk.
To summarize, Youtube can be used to enable cyberattacks or scams based on social engineering, and its functionality also can be used to redirect users to phishing links and hide content for C&C servers.
No place on the internet is 100% safe, so don’t forget that and stay cautious even when visiting a place where you feel yourself at home. Now after reading this article, you are warned. Take a second to check out the dancing pig in the video I mentioned at the beginning of this blog post.
I would abstain from putting a link, but I’ve provided close to ten of those in the post already, so here is your dancing pig.
Keep the spirits up, but don’t lose your head while doing so.