Hackers advertising and selling phishing kits via YouTube with secret backdoor
Hackers using YouTube to advertise and market their malicious wares marks the beginning of a new trend, experts said REUTERS/Dado Ruvic

Cybercrime, like any other enterprise is a business, albeit an illegal one. Apart from targeting individuals, businesses and governments, cybercriminals also cash in by creating, using and marketing malware to other crooks. It appears however, that the age old adage of "honour among thieves" does not apply to cybercriminals these days.

Security researchers have uncovered cybercrooks advertising and distributing phishing kits, that come with how-to videos and links to additional information, to wannabe hackers via YouTube. The catch however is that the advertised kits come with a secret backdoor that sends all the phished data back to the author.

According to Proofpoint security researchers, hackers using YouTube to advertise and market their malicious wares marks the beginning of a new trend. "A simple search for "paypal scama" returns over 114,000 results," researchers noted, indicating that this new trend already appears to have been propagated fairly successfully.

Researchers said, "Many of the video samples we found on YouTube have been posted for months, suggesting that YouTube does not have an automated mechanism for detection and removal of these types of videos and links. They remain a free, easy-to-use method for the authors of phishing kits and templates to advertise, demonstrate, and distribute their software."

Researchers also added that the YouTube videos came with links to templates and phishing kits. The videos themselves featured the "look and feel of the templates" and provided pointers on how to go about collecting the phished data. One such video was for an Amazon phishing template which cloned the Amazon login page. Researchers noted that this particular video also came with a Facebook link to contact the author.

Proofpoint researchers decoded a sample of a phishing template downloaded from a link provided in a similar video and discovered that the author's Gmail address was "hardcoded to receive the results of the phish every time the kit was used, regardless of who used it."

Researchers warned that the concept of honour among thieves does not apply in this case "since multiple samples revealed authors including backdoors to harvest phished credentials even after new phishing actors purchased the templates for use in their own campaigns.

"The real losers in these transactions, though, are the victims who have their credentials stolen by multiple actors every time the kits are used," researchers added.

It is still unclear as to how many people may have been affected by this latest phishing scam. The identity and location of the individual/individuals behind this campaign also remains unknown. IBTimes UK has reached out to Proofpoint for further clarity on the matter and will update this article in that a response is provided.