EXECUTIVE SUMMARY:
A phishing campaign is targeting YouTube content creators by exploiting fake copyright infringement alerts designed to create urgency and fear. The attackers impersonate legitimate platform enforcement mechanisms to trick users into believing their channels are at risk of takedown. The ultimate objective is to steal Google account credentials, enabling full compromise of associated services such as Gmail, Google Drive, and YouTube channels.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A phishing campaign is targeting YouTube content creators by exploiting fake copyright infringement alerts designed to create urgency and fear. The attackers impersonate legitimate platform enforcement mechanisms to trick users into believing their channels are at risk of takedown. The ultimate objective is to steal Google account credentials, enabling full compromise of associated services such as Gmail, Google Drive, and YouTube channels.[emaillocker id="1283"]
The attack begins with a convincing fake copyright notice that closely mimics official YouTube branding and messaging. Victims are directed to a phishing portal that dynamically personalizes the page using publicly available channel metadata such as profile image, subscriber count, and recent uploads to increase credibility. The interface is designed to create urgency, warning users of imminent channel penalties unless they verify ownership by logging in. Once the victim proceeds, they are presented with a counterfeit Google sign-in page, often implemented using browser-in-the-browser techniques to simulate a legitimate authentication window. Credentials entered on this page are transmitted directly to attacker-controlled infrastructure. In some cases, the campaign uses rotating or dynamically fetched domains, allowing attackers to frequently change hosting infrastructure and evade takedown efforts.
It demonstrates the increasing of phishing operations targeting content creators, particularly by abusing trust in platform enforcement mechanisms such as copyright claims. By combining psychological manipulation, real-time personalization, and advanced fake login interfaces, attackers significantly increase the likelihood of credential theft. If successful, the impact extends beyond account compromise to full channel takeover and downstream abuse of the creators audience. Strong verification habits, direct navigation to official platforms, and avoidance of external login prompts remain critical defenses against such threats.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| T1556.004 | Spearphishing Voice | ||
| Defense Evasion | T1036.003 | Masquerading | Rename Legitimate Utilities |
| T1027.003 | Obfuscated Files or Information | Steganography | |
| Credential Access | T1110.003 | Brute Force | Password Spraying |
| Collection | T1185 | Browser Session Hijacking | - |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]