Phishing Campaign Uses Fake YouTube Copyright Notices to Hijack Google Accounts
What Happened — A new phishing operation targets YouTube creators with a counterfeit copyright‑strike page that pulls live channel data to make the lure appear authentic. Victims who enter their Google credentials hand over full control of their Google account, including Gmail, Drive, payments, and the YouTube channel itself.
Why It Matters for TPRM —
- Credential compromise of a single Google login can expose an entire suite of SaaS services used by a vendor or partner.
- Hijacked channels are quickly repurposed for scams, creating reputational risk for any brand that collaborates with the creator.
- The campaign operates as a “franchise,” meaning multiple attackers can leverage the same infrastructure against many third‑party vendors.
Who Is Affected — Media & entertainment companies, digital marketing agencies, influencer‑management firms, and any organization that relies on YouTube creators for brand promotion.
Recommended Actions —
- Verify that all creator accounts use hardware‑based 2FA and enforce security keys where possible.
- Conduct a phishing‑simulation exercise focused on “copyright strike” lures.
- Review contracts with creator‑related vendors for clauses requiring MFA and rapid incident response.
Technical Notes — Attack vector: credential‑stealing phishing page hosted at dmca-notification.info that dynamically injects the victim’s channel avatar, subscriber count, and latest video metadata. No known CVE; the threat relies on social engineering and real‑time data scraping. Data at risk includes Gmail, Google Drive files, Google Pay details, and the YouTube channel itself. Source: Malwarebytes Labs