Image

Image

Image

Image

Nothing appears amiss–in fact, it is almost a perfect replica. The main differences are: the box surrounding the login is black instead of white; the small detail of the banner at the bottom has different information than Microsoft’s actual login; and the copyright year is showing as 2019.The disappointing truth is that YouTube provides a method for anyone to create a link at youtube.com, which automatically redirects browsers to third-party phishing sites without any warning. And because email gateways typically whitelist popular domains such as youtube.com, facebook.com, and other social media sites it's a highly effective way for attackers to get their malicious links in front of innocent users. In contrast, an email which had linked directly to a phishing page might have been less successful at waltzing past email security solutions. If you're a regular user of YouTube you may already have seen this redirect facility in use. Just check the descriptions of different videos, and when they contain a link hover your mouse over it to see where it will take you. A YouTube video with a description containing a link will actually follow this format: https://www.youtube.com/redirect?q=[target_URL]&redir_token=[token]&event=video_description&v=[video_ID] As researchers have noted before, the system can be exploited to trick users if a valid token is taken from a legitimate YouTube redirect link and then used in a malicious campaign. One way to counter the problem would be for email gateway filters to treat YouTube redirect links with more suspicion, rather than assume that any link pointing to youtube.com is going to keep the user at youtube.com. But ideally I would like to see Google tighten up how it checks redirect links to prevent them from being abused by attackers in phishing attacks like this.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.