The YouTube Ghost Network

Introduction

You may be familiar with phishing, vishing, etc., being the typical attack vectors, but recently, even YouTube has been utilized by bad actors to deploy malware. YouTube is now being used as an attack vector for the group called “YouTube Ghost Network.”

An entire network of YouTube accounts has been uploading videos enticing users of YouTube to download malware under the guise of downloading video game cheats or other desired software. It’s the norm to stay on guard when opening links or attachments from your email, and now you may want to raise your guard when browsing YouTube as well.

What is Malware

Malware is malicious software that is designed to exploit or compromise a user’s device or network. Depending on the type of malware deployed, bad actors can even take control of your device. Bad actors use malware to compromise the integrity, availability, or confidentiality of the user’s computer.

Malware can also potentially steal any personal information on the device or spy on your activity. A common tactic for bad actors to deploy malware is to disguise themselves as legitimate software to gain a user’s trust to download and deploy it, which is exactly what the YouTube Ghost Network is attempting to do.

YouTube Attack Vectors

YouTube Ghost Network utilizes all features of YouTube, including posts and putting links in their description, to build credibility as well as to give them multiple attack vectors to compromise a user. This group utilizes numerous features from YouTube to trick users and gain their trust.

They utilize video accounts to upload a YouTube video advertising their software to trick the user into downloading their payloads. Post accounts are utilized to publish information regarding the user’s interests to gain trust and to entice the user to click links that bring them to an external site.

Lastly, interact accounts are used to post comments to advertise whatever product or service they are offering to build more credibility and to build up trust with the user. Some accounts have thousands of subscribers, to hundreds of thousands of subscribers. Keep in mind that just because a YouTube channel has a big following, that doesn’t mean that they are legitimate or trustworthy.

Where the Malicious Links Lead

After the user leaves YouTube, following these links, they are directed to a Google Drive, Dropbox, or other phishing pages that prompt users to download the bad actors' malware under the guise of the user’s wanted software.

Many of the links utilize a URL shortener to conceal the link's true path and destination. Once clicked, the links pave the way for malware to be deployed. While seeming to be harmless, these links promising their phony advertised software can cause great damage.

Conclusion

Google is taking steps to take down these accounts, but it is still best to exercise caution. With over 3,000 videos uploaded by these bad actors to date, now is the time to be diligently on watch even while browsing YouTube.

Malicious actors will keep imagining new ways to target users, and they have no lack of imagination. A good rule of thumb is to always be hesitant to click a link, even on a trusted platform like YouTube.

Thomas Chustz, Information Security Analyst

Thomas started at TraceSecurity as a part of the Atlas team of associate information security analysts, performing remote social engineering and penetration tests. Now, as a full-time ISA, he has started performing some of our risk assessment and IT security audit services. Thomas earned a Bachelor of Science in Psychology from Louisiana State University and is currently working toward his Security+ certification.