Users from all over the world are receiving seemingly legitimate emails from YouTube these days, that turn out to be scams on careful inspection. The emails, which look legitimate on first glance, claim to share a video with users by the YouTube team that informs them about changes to rules and policies.
The email address checks out at legitimate, as it is [email protected], and it may be difficult for users to determine whether the email is legitimate or fake.
Careful users may notice some oddities in the email, like You Tube Team or YouTubeTeam, instead of the YouTube Team name, which Google would be using. While there is indeed a link to a video, there is also the description of the video attached, which includes a link to a password protected document on Google Drive. There is also a warning that users have just a few days to open the document.
The channel name has a link to YouTube, and there is a chance that it has been terminated already due to violations of YouTube policies regarding impersonation. It is possible that other channels may still be up, and they likely show some legitimate videos by YouTube to make them look legitimate. The videos are set to private, and can't be opened.
YouTube's official Twitter account has warned users about this new phishing campaign that is targeting YouTube users specifically.
Behind the curtain of the phishing campaign
First of all, it is important to realize that the phishing campaign is exploiting a YouTube feature to send the phishing emails from YouTube's own domain. This gives it a lot of legitimacy and it also means that it will bypass many email filters and security tools that would otherwise have flagged it as spam.
YouTube publishers may set videos that they upload to private. Private means that the videos can't be played if the video URL is known. What publishers may do, however, is share access to these videos.
And it is this sharing functionality that the threat actors are abusing. Private videos may be shared with other YouTube users. All that is required for that is to enter the email address of one or multiple users and check the email option, so that these users receive an email about it.
These emails are sent from youtube.com, and they show the channel name, which is a custom name selected by the creator of the channel, the video link and the video description.
Here is a YouTube video that talks about the scam in length:
How to protect yourself from this scam
Many of the usual protections against phishing campaigns do not apply to this one. The domain of the email checks out and is legitimate.
These emails have red flags, and it is important to realize that these red flags help determine legitimate emails coming from YouTube from illegitimate ones:
- A password protected Google Drive file. Google / YouTube would never use this form of communication.
- That the video is private (which you would notice when you attempt to play it).
- That YouTube has not published a notification about the alleged changes to the Google account, other than the shared video.
Google is working on addressing the issue. It may have changed the title of emails that are shared privately already. When we tried to replicate this by setting a video to private and sharing it, the email we received stated "a private video was shared with you". We did not get "channel name sent a you a video".
Phishing and scam emails that come from legitimate domains are more effective, as they may bypass filters and other protective features. If they are worded like the YouTube videos, they open the doors for abuse.
Now You: would you have detected the scam?