Rarely, people from agencies email me about collaborating on my YouTube channel. They are usually harmless. But I stay careful because I know this is a trick hackers use to compromise YouTube channels.
A few days ago, I received an email from an agency. They asked if I was interested in a partnership with Sony. I checked their website and it looked professional, so no red flags yet. I said yes I was interested. They then sent me a YouTube video link and told me to follow the instructions there.
The channel’s name was “Sony Creator Studio” and it had 544K subscribers. I watched a bit of the video and it looked fine. It said to go to the website in the description and fill out the form.
I checked the channel’s homepage (unfortunately, I lost the screenshot), and it had many highly viewed videos. I convinced myself that this was an official Sony channel. I then went to the website sonycreators[.]com. It also looked very professional too.
I started filling out the form. It asked for my YouTube channel name and then filled in the form with my channel’s public information.
It said, “select the Sony product from the presentation that you’d like to promote.” I thought, okay this sounds good. Let’s read the instructions. Then I saw:
it was a password-protected ZIP file.
It also said it should be opened only on a Windows system.
At that moment, I realized it was a phishing attempt. There’s no reason to use a password protected zip file and require Windows if you’re just sending a product catalog.
I was sure it would deliver some executable with malware, but I wanted to see if they had some clever trick. When I opened the ZIP file, it was just an EXE file. So, no clever tricks.
I uploaded the file to Hybrid Analysis and confirmed that it’s indeed malware. https://hybrid-analysis.com/sample/28aec184e65b83cda7b00ab622284cd82b2a7300ca32d1bc9bb35a4feeb76f95/69341790d1c7ea1147046b45
I don’t know exactly what it does, but it’s probably some kind of information stealer malware that grabs browser cookies and uses them to log in to your accounts. Some famous YouTube channels were compromised this way. Since hackers steal your cookies directly, they don’t need your password or MFA codes.
I reported this to Sony since I thought their YouTube channel was hacked. Sony told me they do not own that channel, but they would send a request to take it down. I was very surprised. How could it not be their channel? I checked the homepage again. I saw many product videos with over 200,000 views. Then, I realized those videos were not actually uploaded by this channel. They were just showcasing videos from the official Sony channel. I didn’t know you could do that. This feature helps scammers a lot.
As a result, the channel is taken down.