Attackers are using YouTube redirect links, whitelisted by various security defense mechanisms, to evade detection.
Researchers are warning of an increase in phishing emails that use YouTube redirect links, which help attackers skirt traditional defense measures.
If certain malicious URLs are blocked by web browser phishing filters, attackers commonly use a redirector URL to bypass these filters and redirect the victim to their phishing landing page. URL redirects have been used in previous campaigns, including malicious redirect code affecting Joomla and WordPress websites and HTML redirectors being used by Evil Corp. Now, a new campaign is using legitimate YouTube redirect links.
“Most organizations allow the use of platforms such as YouTube, LinkedIn, and Facebook and whitelist the domains, allowing for potentially malicious redirects to open without any fuss,” said researchers with Cofense, in a Wednesday post.”
Researchers said that the emails using this method originated from a fraud domain, sharepointonline-po.com, which was recently registered, on Feb. 19. The attackers purported to be with SharePoint, a web-based collaborative platform that integrates with Microsoft Office. The email indicated that a new file has been uploaded to the target company’s SharePoint site, and included an option to “View File.”
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street