The Latest YouTube Malware Scam
j-h.io/aci-itpro || Learn ANYTHING in tech with ITPro from ACI Learning -- start a free trial and use promo code JOHN30 for 30% off your first month or year of learning! j-h.io/aci-itpro
Sekoia's Writeups on Stealc:
blog.sekoia.io/stealc-a-copyc...
blog.sekoia.io/stealc-a-copyc...
🔥 KZread ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
Пікірлер: 209
Hi John, they used a share function in KZread. So they have a private video, so you can't see it, but the thing with private videos is that you can give access to someone. So they add your and other youtubers emails, so you would get this email from youtube, stating that this and this channel shared a video with you. In the email you can see description and title of the video. Once you receive that email - the scammers just remove access so you can't see it, that's why it says the video is private, but you got email from official youtube domain.
@scoopet
Жыл бұрын
thats really clever
@kazii_the_avali
Жыл бұрын
not only that this goes on quite often. just in other forms. paypal has scams like this. and yes the email does come from the offical website however its cause someone did something such as shared or requested something and thus is immatiting the offical source.
@abhinavadarsh7150
Жыл бұрын
I tried. I wonder how they got to type custom email?
@seanvinsick5271
Жыл бұрын
I think it might have been shared to drive and then shared from there to get the attachments? I thought the same thing about the share function.
@CZghost
Жыл бұрын
@@kazii_the_avali Invoice, perhaps?
This is why whenever I receive an email saying like "Suspicious activity, you can reset your password at this link: [link]" I just close the email, go to the actual website - and change it through there rather than following the link. Can't even trust the email it's coming from now.
@karmanderdimdung223
Жыл бұрын
never follow the link. if you have to, copy the email address and paste it on new tab. the link has 2 sides. 1 the actual link and 2 the display name. scammers/hackers use offical link address as display name while the actual link is hidden behind it.
Thing I love about John's community is I learn nearly as much reading through the comments as I do in watching the video. You guys are seriously awesome about filling in the holes and adding extra incite to a video. I don't know if anyone else commends the commenters, but keep it up you guys/gals, you are doing newbs like me a real service, thank you.
My first guess would be they've shared the "Private Video" with you via KZread, and in the message they can attach along with that video when sharing is where they've added the Google Drive URL. Causing KZread to send you a genuine email, from the legitimate KZread email address, along with the shared video, and their phishing message. Because the message contains a Google Drive link, Gmail automatically "adds them" to the email at the bottom making them look like an attachment which is why you can see the .zip file immediately. It's especially scary given that even if KZread terminate the account as they did with your first example, that email will still be in users inboxes, with links pointing to malicious stuff likely still up and available, meaning unless KZread stop this before it happens, banning the account after does nothing but stop them sending out more from that account, which likely takes seconds to create a new one.
@Cypherx444
Жыл бұрын
@@user-wc2os5ft6v what the F**k . You know who is he 🤣😂🤣 John will trace you
My guess is they didn't fake the mail address, they used a share function in Google / KZread somewhere.
@raghavkamath
Жыл бұрын
Bruh these bots are getting out of hand. Literally the worst channel to spam the scam.
@Theunicorn2012
Жыл бұрын
My guess is they didn't fake the mail address, they used a share function in Google / KZread somewhere.
Someone should make a testing distro that's full of poisoned info. Like instead of the malware stealing info, it just steals malware. Has anyone ever done something like this? Is it even feasible?
@__whitehawk__
Жыл бұрын
Yep. In industry it's called a "honeypot".
@HowToCyber
Жыл бұрын
@@__whitehawk__ lmao
@tarekrahman1
Жыл бұрын
it's an age old technique called honeypot
@evandroescutatrap131
Жыл бұрын
@@__whitehawk__ LMFAO
@jetalone00
Жыл бұрын
@evandroescutatrap131 what's so funny about it?
6:45 Another thing is, 5:02 the zip file that created that executable was less than 10 megabytes, but the exec itself is around 700 megabytes. Compression can reduce file size, it cannot reduce it by several orders of magnitude. Unless of course 99% of the file is just the same data repeated over and over and over again, then it can.
@karmanderdimdung223
Жыл бұрын
thiojoe made a video about this malware and apparently rest of the files are all zeroes. he opened the file in a hex editor, deleted all the zeroes and saved it which made the file few mbs and then uploaded to virus total for scanning. we could see all the zeroes in this video too 11:10 but he didn't scroll far enough to show us the mountains of zeroes.
the download link isn't sus at all lol: "&confirm=no_antivirus"
Fascinating as always! I really appreciate the longer videos where you take time to dig into stuff a little bit more and show us some ways to extract information. Thanks!
@Theunicorn2012
Жыл бұрын
Fascinating as always! l really appreciate the longer videos where you take time to dig into stuff a little bit more and show us some ways to extract information. Thanks!
SPF (Sender Policy Framework) specifies what servers are allowed to send emails for a domain. DKIM (Domain Keys Identified Mail) provides usually RSA public keys via DNS - emails are then signed using their private keys. The emails you received passed these checks, meaning they are definitely sent by KZread's mail servers.
@DarkFaken
Жыл бұрын
What's DMARC? I heard someone the other day saying we should be relying on that more as an indicator of illegitimate emails.
@olliflying
Жыл бұрын
@@DarkFaken DMARC is how you set what should happen to non-conforming email traffic. It is also set in DNS records. DMARC *requires* SPF and/or DKIM to be set. DMARC *does not* verify the senders of emails, it only sets out the policy on how non-verified emails should be handled. Here's an example record: v=DMARC1; p=reject; pct=100; rua=... p = the policy to use - none, quarantine and reject are available. Quarantine chucks the email to the spam folder, reject refuses to handle it entirely. pct = the percentage of emails to subject the policy to - used for testing usually. rua = the reporting email. Larger receivers like Google send statistics and reports to this email every once in a while. There are more options, but these are just the basic ones you may see.
@papajohnscookie
Жыл бұрын
@@DarkFaken DMARC is the policy which tells receiving mail servers what to do with e-mails that either fail SPF & DKIM or are misaligned. It's a DNS record just like SPF & DKIM
@Theunicorn2012
Жыл бұрын
SPF (Sender Policy Framework) specifies what servers are allowed to send emails for a domain. DKIN (Domain Keys ldentified Mail) provides usually RSA public keys via DNS - emails are then signed using their private keys. The emails you received passed these checks, meaning they are definitely sent by KZread's mail servers,
~700MB? Hmmm... xvid rips? Gododness, i'm so old.
@minhperry
Жыл бұрын
I think I've seen this before, they just inflate file size by adding unnecessary bytes at the end of the file so the the antivirus would just give up since it's too big
Hey John. First time commenting on one of your videos. I love the content and keep it up.
To send an email from the youtube domain, simply upload a video, set it to private, then use the "Share privately" feature. Notice the email subject? "Channel name sendt you a video: Video title"
This is a notification email from KZread when someone shares a video from YT with you (just like the google drive one for sharing a file from there). The attacker used the KZread email template and changed it to look like an official KZread email rather than a notification email. If you for example share this video with let's say David Bombal via email, he will receive an email from KZread with this title: John Hammond sent you a video: "The Latest KZread Malware Scam"
First thing I do with any email I wasn't expecting is check the header info to make sure they haven't spoofed the email address. Not sure how the hell they spoofed all that header info, maybe they used the private video backend to invite you to the video so it actually came from KZread?
@cybercrime_
Жыл бұрын
You can share videos via KZread (it emails them), you can also add a description to that message when sharing. Google auto appends the Google Drive link as an attachment because it’s deemed as a ‘safe’ link.
@bipolarminddroppings
Жыл бұрын
@@cybercrime_ that's a clever exploit.
@Theunicorn2012
Жыл бұрын
First thing l do with any email l wasn't expecting is check the header info to make sure they haven't spoofed the email address. Not sure how the hell they spoofed all that header info, maybe they used the private video backend to invite you to the video so it actually came from KZread?
Hey John, SCR can also just stand for "Script" file. I remember, was it black nurse? That relied heavily on this because it allowed for directly running scripts from any FQDN, not just local files, and got past TONS of heuristics scanning at the time, I think I have a malware sample for this somewhere. Because why would a file extension, on a file extension aware OS, be only one thing?
@LiEnby
Жыл бұрын
Windows defaults to using .scr files as screen savers um
The link says no antivirus 😂😂😂
@takahashi5341
Жыл бұрын
😂
Thank you. Informative as always...
Great video John, keep the long videos coming!
I have the feeling Internet is getting overwhelmed with scammers and nothing is done. It just goes that far that I start to get disgusted using Internet. I get scam mails through all means of communication channels. Out of 5 emails, 4 are spam, 3 are scams.
@Buglin_Burger7878
Жыл бұрын
Email itself is generally useless. You have to go to the main site to do anything, so legitimate emails should say something and tell you to manually visit the site. This would in general render scam emails worthless since you'd visit the legit site and see it is false.
Hello John. Maybe a stupid question, but how to check if the link is real or fake. If, for example, it is fake and I click on it or copy and paste it into the browser, it is possible to pick up malware. Do I have any method or other possibility to check it? Thanks for the video and your warnings..
I’d be laughing at the email from the get-go. So many subtle clues, and some just glaring.
I see myself as safe from phishing malware because I'm not a celebrity/influencer, so I'm not targeted in particular, but mainly because I don't trust any emails I wasn't expecting in advance (and that narrows it down to 2FA)
Used to be an email delivery analyst and this was actually pretty common to see come through the office and we'd flag it
Love your stuff man!
I love your Videos so much and I am really into this stuff. I am looking forward to be in the cyber security one day too.
why google don't stop and pause all no-reply youtube gmail?
I love your videos. So good. I learn so much about what I didn't know
You gotta look at the bottom most "Received-by:" line in an email header. Thats the originating server - check the network record on the IP and you know where its from.
Emails from KZread to you, will have that very odd email address that KZread has for you, it has dashes in it and everything. One way to thwart them is have a different email address on the "contact us" than the one that owns the channel. Then all emails go to the new email but get tagged to the other, non listed address
Hi, subtitles are not available, may them be, please? Thanks a lot
In the upper left, under the senders email and next to the "to me" there's a down arrow that shows who the security of the email is signed by.
Suppose they used the Share Option, How did they manage to write a custom email and attatch the zip? , and it couldnt be email domain spoofing cuz youtube has dmarc records for that, kindly reply if you know more about this
I don't know whether should we be worried by these attacks, or should we be entertained by these
@parabolicpanorama
Жыл бұрын
personally I find it funny but it's probably a little messed up for smaller youtubers.
@vanillafromnekopara
Жыл бұрын
Bot comment above lol
@kiyu3229
Жыл бұрын
@@vanillafromnekopara huh
Another excellent video !!!, i love your content !!
4:00 the mail address isn't spoofed, that is why it passes on SPF and DKIM. The channel name You Tube (with the space in between) is spoofed. The email itself is therefore legitemately sent from Google's/KZread's mailserver.
Fascinating that the .scr file had a digital signature, I wonder if they stole a signing key from someone
John that’s absolutely insane all that Data In one file Thanks For tip Bud
What about the redirecting issue. Some videos or shows are blocked unless you follow the link in the comments. When you do right away, I get a warning that says it's a malicious website! The shows i pick dont contain bad stuff either. What do viewers do?
That's pretty cool indeed...for scammers. Why though it couldn't read first file? Packed differently?
have you analyzed the sender of this email
The sharing function of a private video is obvious, but how the hell did they add the description "This email has been sent..." down below? You can't add any description when sharing.
It's almost like they aren't even trying anymore
why are screen savers executable?
Yeah, they are emailing you from inside their youtube account. They are sharing a video, or messaging your from the platform, that why it looks legit.
Guys i got it today and had no idea. I clicked on the shared pricate video and it led me to youtube video as i was on mobile device. But i didnt see the zip file. I didnt click on any link that was in youtube video description. Should i be worried about clicking the video?
I am getting mail from no reply dropbox, haven't opened it though
You can tell the email is fake because it asks you to do anything through the email itself. That is normally reserved for verification and other important things that happen because you were just on the site and waiting for the email. Email is not valid communication in of itself, it can only warn you to go to the main site for email to work. ...yet enough people use it as full communication that these scams work.
Sooo... What are the steps concerning that control server now? When you take that down/over, all connected infections are useless right? Of course it's something for law enforcement from that point, but who and how is going to proceed killing the threat?
If KZread actually did change the rules, then they would make a PUBLIC video and email you with something like "Effective [date], [info]." with a link to YT's help center article about the policy or something.
John Hammond the guy that turns scam attempts in youtube content and I dig it
I see how this scam works as soon as I saw it the first time. It's literally the share feature, I love how everyone thinks it's this over engineered scam, whilst in reality, it's just a shared video that was generated by KZread. Kind of stupid that a company this large allows you to do that.
Amazing video, keep it up.
Thanks for sharing
the 7 days deadline sounds like Samara from the Ring film lmao
That is why KZread violated thier own terms of services too
i mainly delete youtube emails because they send you who has commended on your comment. maybe if people need to use emails. and i am sure people use Microsoft windows you can use What Are Disposable Virtual Machines, like Windows Sandbox Sandbox is a temporary isolated desktop environment where users can run untrusted or even just new software to test out before running it on their actual host environment.
CPG Grey just released a video saying, to "combat" the scam comment bots, he is only going to let people comment he can verify is human. Although, he is only going to verify people who pay to support his channel. So, I can't tell if he is genuinely trying to combat anything.
@floorpizza8074
Жыл бұрын
Yeah, that's not going to work out well for him, for too many reasons to even begin to list here.
@AntonioNoack
Жыл бұрын
Sounds like he's trying to combat the potential emptiness of his wallet.
@karmanderdimdung223
Жыл бұрын
pay to --win-- comment
@Nadia1989
Жыл бұрын
CGP Grey went from "if you are financially able, consider becoming a member" to "pay to comment or else"
2:51 Nice to see that you also watch NetworkChuck and have to fight with these damn spambots XD
I seriously wonder how they do this
Every single of your videos are very interesting to learn. But, how do you find All the time to make videos, edit it and make corrections (unless you have a Team behind) besides your full time job man? Don't you get Burn out sometimes of pressure of creating constantly, posting all the time?
If DKIM and SPF records are correct than yes, this email came from KZread server. I would love to see the message headers because something more might be in there.
22:13 yeah, of course they have. and i’m sure there isn’t just one channel, there are a lot
After clicking the attached .zip file, the phone begins to ring. "7 days," says the You Tube Team!
I love these videos - funny when you see a hacker trying to hack a security expert :P
what really blows my mind, is that somehow, someone managed to either gain access to or managed to create a passable spoof for the youtube/google domain, which is scarry and impressive, yet the email still reads like a complete scam, i don't understand how someone can be so clever, but at the same time not able to write a email that looks real, because in my expiriance, writing the email is a lot easier then getting access to, or creating a passable spoof. i know not everyones first language is English, it's not mine either, but you would think that someone that goes trough this much effort to make the domain seem real and legit, would go trough at least as much effort to make the email seem legit.
This is such an obvious trap, obvious shady stuff I wouldn't ever believe to be real. If someone falls for this...
Potential compromise of a youtube server?
I knew SPF Record wont fix anything sooner or later...
Noob heee : so how'd they spoof the email domain?
Holy shit. Seems to me Google has some spf flaws, or can this be spoofed otherwise?
Antivirus software really needs to start checking a file if it is really that big or just a bunch of null or random bullshit appended to it.
Someone please setup a bunch of scam sites but insted of asking for money let them know this is a scam and theyll ignore things like that from then on using the same methods scammers use to get customers
@NitraPunkie
Жыл бұрын
Like emails with a link with an image saying ignore emails like this their a scam
Hey John , when these videos go into a more scammer type side , there are people for that. There is a guy named pierogi who exclusively does internet scams , Big youtuber , You should definitely collab with the guy , you all could use each other. Both good professionals together working on a resolution maybe? Aaaaaand, So , should I start flooding that email for you now , Or later? Aaaaaand This is just another side reason , why we all should not be so reliant on devices and be more diligent. Thanks for posting!
Hey just notice there seema to be a bot in the comments replying to comments with the base comment?
so did anyone think to report that fake yt team channel?
Can't you go after that Gmail and domain name and catch that person using help of Google and hosting providers
Also that wasn't the CEO of KZread. That was the CEO of Google.
I forget which channel, but someone else on KZread looked at this scam and played the video. It used deepfake technology to try to give the impression it was an official announcement from Google's CEO. The deepfake parroted the same info in the description of the video, as seen in the email. Chances are that they shared the private video with another channel you own and control. For example, if you run channels A and B, each with a different email address, and you list the email address for B on your About page for channel A, then, whenever someone shares a private KZread video with you, it will only be available if you're actively signed in to channel B. If you're still signed in on channel A, you'll get a "This video is private" error message, even if you're technically signed into channel B. Once you switch from channel A to channel B, the video will be visible to you.
I can teach you about email but I'm in the process of starting my own security channel figuring out what to do that isn't already covered. I have about 25 years expeience as an independent security researcher speclizing in malware & vulnerability research. But if you are serious about it hit me up and we'll see if we can put something together. I believe I'm in your Discord too? I'll have to check because I'm in a lot of Discord channels for different niches too.
Nohin else like watching a video about scams and getting a scam ad
John: "..into an already very long video..." Me: Jokes on you I love these long malware analysis videos 23:50
me : getting ip info of sender
Them sending John the email is like the thugs that broke into John Wick's house in the SECOND film. Like did you not get the memo who this N was???
I use a rotating series of screenshots as my screensaver. Checkmate. (no way that could end embarrassingly)
Done well 👍
I would not tell people to check out the links from an obvious phishing scam that could be loaded somewhere with a virus.
this video felt like it was only 3minutes long
Th confident he clicks on those links 😮
Give this man a rusted old rock and he will take 30 mins to tell you its not gold.
6:34 What is "ytscam" Are the blatantly saying this is a scam? 🤔
scary that they got the dkim and dmarc to pass with the youtube domain, huge breach and they can be sued
21:44 there are a lot of those these days. you can find a lot of those in russian communities, these people most likely sell these files for people
Wow what a genius 😂😂
Damn, its getting worse and worse 😂
You need Kaspersky to protect you, bro.
Seems like a lot of KZreadrs have been getting this recently.
This is same scam but the dumbest one so far. If you have the knowledge, you can easily turn the tables.
"Confirm no antivirus" is suspicious in the link
Great