Phishing YouTube Pages Will Steal Login Password and Infect PCs

Phishing YouTube Pages Will Steal Login Password and Infect PCs
Page content

YouTube and Phishing Attacks

YouTube is a free and popular online video sharing service. Internet users can create a YouTube account to upload and comment on videos using a PC or mobile phone.

Cybercriminals are quite interested in YouTube, but they don’t want to share good content. They want to know about the hottest and most popular videos being watched by users. The information they gather will eventually help them trick users. They will use any available method to find victims, such as sending fake messages via e-mail, posting comments on blogs, using social networking sites or utilizing blackhat SEO strategies or search engine poisoning techniques. Spreading a fake message is an old trick for these bad guys, but SEO poisoning gives them another valuable weapon.

Phishing is a type of scam that can lead to the theft of your valuable data such as login passwords, credit card numbers, social security numbers or other financial or personal information. Like other popular online services, YouTube is being used by attackers for sending spoofed messages or e-mails. Most of the time, scammers or Phishers will use a legitimate online service to store their fake webpage. For an example, they might upload their fake webpage and scripts to free hosting services such as or

Image Credit: Wikimedia Commons (

An Old Trick: A YouTube Phishing E-mail

The old trick used by these cybercriminals is to send a spoofed e-mail. Below is an example of a phishing YouTube e-mail:

Your Account is infected

Your YouTube account has been infected with a self mailing worm and will be terminated in approx. 48 hours if malicious activities continue… Scan your account NOW with YouTubes online scanner to remove this dangerous threat from your computer and prevent further spread of this worm.

Unsuspecting people who clicked the link in the message will be directed to a fake scanner page that will prompt the user to clean the non-existing threats in a PC. This type of attack is also called scareware.



The above screenshot is another example of a YouTube phishing e-mail asking people to download and install a YouTube Toolbar (filename is youtube_toolbar_installer.exe). If anyone installs the supposed toolbar, their PC will be infected with the Zapchast backdoor that will connect to the malware authors’ servers to make the infected PC a part of their botnets.

*Image Credit: Securelist Blog (

Another method used by cybercriminals involves using “Invite as friend” and “Private Messaging” features available to registered YouTube users. Note that some YouTube accounts were hacked after the users fall for such a spoofed YouTube private message.

Youtube Phishing in Search Engine Results

Blackhat SEO strategy by Phishers or Scammers

In the above image, you’ll see an example of search results for a celebrity. It’s quite obvious that the malware distributors have succeeded in poisoning the search engine to make it into the top 10 search results. Clicking the malicious link in the search result page will open a phishing YouTube-like website:

Fake YouTube Webpage

When you click the play button on the embedded player, you will be asked to download a new media codec, which is actually malicious software:

Malicious Codec in Phishing YouTube Page

Spoofed YouTube Pages in Search Engine Results

Another tactic by scammers is to redirect a page from a search engine result to a fake scanner webpage:

Poisoned Search Result

The original page is redirected to another page before being redirected to the scareware website:

Redirected YouTube Page

Scareware Page from Fake YouTube Page

How to Protect Yourself from YouTube Phishing?

It’s a good rule of thumb that you don’t click links in anything that might be a fake message. Also, do not enter your login credential into login pages that aren’t verified as a part of the real website. If you have to login to YouTube, manually type the URL address of into the browser’s address bar. If you are using several of Google’s services such as YouTube, Gmail or Google Adsense and Google Analytics, do not use the same password for all the services. Google has been prompting YouTube users to link their YouTube account with the larger Google service, which means you will now have to control more accounts by regularly changing the passwords for each service.

If your YouTube account is hacked, verify that the e-mail address associated with YouTube account is still yours and then change your email address password. Proceed to regain control of your YouTube account by requesting a password change via

Configure YouTube settings by changing the default settings to your preferred and secure preferences.

In addition to antivirus protection, use a spam filter to prevent even receiving malicious or spoofed emails. You also need to enable the fraud and malware protection in your browser. Replace the default hosts file in Windows by using hpHosts or MVPS Hosts files. Use a browser add-on such as Web of Trust, McAfee SiteAdvisor or AVG LinkScanner that will block or warn you of malicious or phished YouTube pages.

If you are using firewall software such as Outpost Firewall Pro, the paid edition of Online Armor and Kaspersky Internet Security or PURE, you can take advantage of using their Blocklist feature that will block connections to known malicious URL and IP addresses. Screenshots below show redirections by fake pages to fake scanner websites being blocked:

Blocked Redirection to Fake Scanner Page Using IP Blocklist

Redirection is Blocked by Firewalls IP Blocklist