YouTube has recently seen a rise in the number of videos that contain links in the description box to download malware that steals users’ information, with many using AI-generated characters to trick viewers into trusting them.
According to a report by cyber analytics company CloudSEK, content uploaded to the video hosting platform that tricks users into installing known malware, such as Vidar, RedLine, and Raccoon, has increased since Last November, by between 200 and 300 percent.
The report stated that the videos pretend to be educational clips showing how to download free, illegal copies of popular paid design programs, such as Adobe Photoshop, Adobe Premiere Pro and Autodesk 3ds Max, and AutoCAD.
Recently, educational videos have become more sophisticated, previously just screencasts with voice guidance, now they use AI to create a realistic-looking character who guides the viewer through the process, all in an effort to appear more persuasive.
CloudSEK warns that the number of AI-generated videos is generally on the rise, and they are being used for legitimate educational, employment, and promotional purposes, but now they are being used for malicious purposes as well.
It is noteworthy that the malware used in these clips is intended to infiltrate the user’s system, and then steal valuable personal information, such as passwords and payment details, and it is spread through malicious downloads and links, such as those in the description of the videos as in this case. This data is then uploaded to the threat actor’s server.
CloudSEK warns that YouTube, which has 2.5 billion monthly users, is a prime target for threat actors who, in order to avoid the platform’s automated content review process, cheat the site’s algorithm in various ways.
This includes using regional tags, adding fake captions to make videos appear legitimate, and uploading lots of videos to compensate for any clips that are removed or blocked. CloudSEK found that threat actors upload between 5 and 10 malicious videos every hour.
For SEO, it also uses many hidden links, as well as using random keywords in different languages so that it convinces the YouTube algorithm to recommend it.
In order to cover up the malicious nature of the links, the threat actors use link-shortening services, such as bit.ly, as well as links to popular file hosting services, such as MediaFire.
CloudSEK recommends that companies adopt a hands-on approach in which threat actors’ tactics and techniques are closely monitored in order to properly identify threats.
In addition, the company suggests conducting awareness campaigns and sharing simple tips, such as refraining from clicking on unknown links and using multi-factor authentication to secure accounts.