Dangerous Proposal: Cybercriminals Targeting YouTube Creators With Fake Partnership Offers

In a new tactic highlighting the increasing risks faced by individuals and organisations on social media platforms, over 2 lakh users have been victims of a malware campaign that targets YouTube creators and businesses worldwide, according to cybersecurity company CloudSEK. 

Attackers send emails that look like genuine offers for partnerships or promotions. These emails often include subject lines like "collaboration proposal" and "marketing Opportunity", with attachments or links leading to malicious files. Emails are crafted to mimic professional brand collaboration requests, luring creators into downloading files from cloud services.

Password-protected archives hosted on platforms like OneDrive contain malicious attachments disguised as agreements or promotional materials. These include files such as "digital agreement terms and payments comprehensive evaluation.exe".

Once extracted, these files deploy malware designed to steal sensitive information, including login credentials and session cookies. They also allow attackers to gain remote access to the victim's system or access to YouTube accounts.

According to CloudSEK, YouTube creators are primary targets of this attack. Creators are approached with offers tailored to their channel's audience size and content type. Once a creator's account is compromised, attackers use it to distribute promote fake giveaways, crypto scams, or malicious links to followers.

In one case, a YouTube creator received an email offering a lucrative brand deal. The email contained a link to a OneDrive file, supposedly containing terms and conditions. Upon downloading and extracting the file, malware was deployed, compromising the creator's account. The attackers then used the account to post videos promoting a fraudulent cryptocurrency giveaway.

As per CloudSEK data, 500–1,000 phishing emails are being sent from a single email account. More than 340 SMTP servers have been weaponised for attacks, and over 26 SOCKS5 proxies used to mask criminal activities. Over 46 remote desktop protocols have been compromised.

For protection against such attacks, CloudSEK suggests that users must double-check the sender's details and contact brands through official channels only. They should avoid downloading files or clicking links from unknown or suspicious sources.

Users must also enable two-factor authentication to add an extra layer of security to their YouTube account. Additionally, regularly checking your account for unauthorised logins or changes can help track such activity.

Organisations must also educate their teams to ensure everyone involved in managing a YouTube account is aware of these phishing tactics.