Hi John, they used a share function in KZbin. So they have a private video, so you can't see it, but the thing with private videos is that you can give access to someone. So they add your and other youtubers emails, so you would get this email from youtube, stating that this and this channel shared a video with you. In the email you can see description and title of the video. Once you receive that email - the scammers just remove access so you can't see it, that's why it says the video is private, but you got email from official youtube domain.

This is why whenever I receive an email saying like "Suspicious activity, you can reset your password at this link: [link]" I just close the email, go to the actual website - and change it through there rather than following the link. Can't even trust the email it's coming from now.

Thing I love about John's community is I learn nearly as much reading through the comments as I do in watching the video. You guys are seriously awesome about filling in the holes and adding extra incite to a video. I don't know if anyone else commends the commenters, but keep it up you guys/gals, you are doing newbs like me a real service, thank you.

6:45 Another thing is, 5:02 the zip file that created that executable was less than 10 megabytes, but the exec itself is around 700 megabytes. Compression can reduce file size, it cannot reduce it by several orders of magnitude. Unless of course 99% of the file is just the same data repeated over and over and over again, then it can.

My first guess would be they've shared the "Private Video" with you via KZbin, and in the message they can attach along with that video when sharing is where they've added the Google Drive URL. Causing KZbin to send you a genuine email, from the legitimate KZbin email address, along with the shared video, and their phishing message. Because the message contains a Google Drive link, Gmail automatically "adds them" to the email at the bottom making them look like an attachment which is why you can see the .zip file immediately. It's especially scary given that even if KZbin terminate the account as they did with your first example, that email will still be in users inboxes, with links pointing to malicious stuff likely still up and available, meaning unless KZbin stop this before it happens, banning the account after does nothing but stop them sending out more from that account, which likely takes seconds to create a new one.

Someone should make a testing distro that's full of poisoned info. Like instead of the malware stealing info, it just steals malware. Has anyone ever done something like this? Is it even feasible?

My guess is they didn't fake the mail address, they used a share function in Google / KZbin somewhere.

SPF (Sender Policy Framework) specifies what servers are allowed to send emails for a domain. DKIM (Domain Keys Identified Mail) provides usually RSA public keys via DNS - emails are then signed using their private keys. The emails you received passed these checks, meaning they are definitely sent by KZbin's mail servers.

Fascinating as always! I really appreciate the longer videos where you take time to dig into stuff a little bit more and show us some ways to extract information. Thanks!

This is a notification email from KZbin when someone shares a video from YT with you (just like the google drive one for sharing a file from there). The attacker used the KZbin email template and changed it to look like an official KZbin email rather than a notification email. If you for example share this video with let's say David Bombal via email, he will receive an email from KZbin with this title: John Hammond sent you a video: "The Latest KZbin Malware Scam"

I see how this scam works as soon as I saw it the first time. It's literally the share feature, I love how everyone thinks it's this over engineered scam, whilst in reality, it's just a shared video that was generated by KZbin. Kind of stupid that a company this large allows you to do that.

First thing I do with any email I wasn't expecting is check the header info to make sure they haven't spoofed the email address. Not sure how the hell they spoofed all that header info, maybe they used the private video backend to invite you to the video so it actually came from KZbin?

I have the feeling Internet is getting overwhelmed with scammers and nothing is done. It just goes that far that I start to get disgusted using Internet. I get scam mails through all means of communication channels. Out of 5 emails, 4 are spam, 3 are scams.

To send an email from the youtube domain, simply upload a video, set it to private, then use the "Share privately" feature. Notice the email subject? "Channel name sendt you a video: Video title"

I don't know whether should we be worried by these attacks, or should we be entertained by these

Hey John. First time commenting on one of your videos. I love the content and keep it up.

the download link isn't sus at all lol: "&confirm=no_antivirus"

Hey John, SCR can also just stand for "Script" file. I remember, was it black nurse? That relied heavily on this because it allowed for directly running scripts from any FQDN, not just local files, and got past TONS of heuristics scanning at the time, I think I have a malware sample for this somewhere. Because why would a file extension, on a file extension aware OS, be only one thing?

The link says no antivirus 😂😂😂

I’d be laughing at the email from the get-go. So many subtle clues, and some just glaring.

~700MB? Hmmm... xvid rips? Gododness, i'm so old.

I see myself as safe from phishing malware because I'm not a celebrity/influencer, so I'm not targeted in particular, but mainly because I don't trust any emails I wasn't expecting in advance (and that narrows it down to 2FA)

Used to be an email delivery analyst and this was actually pretty common to see come through the office and we'd flag it

what really blows my mind, is that somehow, someone managed to either gain access to or managed to create a passable spoof for the youtube/google domain, which is scarry and impressive, yet the email still reads like a complete scam, i don't understand how someone can be so clever, but at the same time not able to write a email that looks real, because in my expiriance, writing the email is a lot easier then getting access to, or creating a passable spoof. i know not everyones first language is English, it's not mine either, but you would think that someone that goes trough this much effort to make the domain seem real and legit, would go trough at least as much effort to make the email seem legit.

CPG Grey just released a video saying, to "combat" the scam comment bots, he is only going to let people comment he can verify is human. Although, he is only going to verify people who pay to support his channel. So, I can't tell if he is genuinely trying to combat anything.

It's almost like they aren't even trying anymore

Thank you. Informative as always...

John Hammond the guy that turns scam attempts in youtube content and I dig it

Fascinating that the .scr file had a digital signature, I wonder if they stole a signing key from someone

Emails from KZbin to you, will have that very odd email address that KZbin has for you, it has dashes in it and everything. One way to thwart them is have a different email address on the "contact us" than the one that owns the channel. Then all emails go to the new email but get tagged to the other, non listed address

This is such an obvious trap, obvious shady stuff I wouldn't ever believe to be real. If someone falls for this...

4:00 the mail address isn't spoofed, that is why it passes on SPF and DKIM. The channel name You Tube (with the space in between) is spoofed. The email itself is therefore legitemately sent from Google's/KZbin's mailserver.

That is why KZbin violated thier own terms of services too

Also that wasn't the CEO of KZbin. That was the CEO of Google.

If KZbin actually did change the rules, then they would make a PUBLIC video and email you with something like "Effective [date], [info]." with a link to YT's help center article about the policy or something.

2:51 Nice to see that you also watch NetworkChuck and have to fight with these damn spambots XD

You can tell the email is fake because it asks you to do anything through the email itself. That is normally reserved for verification and other important things that happen because you were just on the site and waiting for the email. Email is not valid communication in of itself, it can only warn you to go to the main site for email to work. ...yet enough people use it as full communication that these scams work.

22:13 yeah, of course they have. and i’m sure there isn’t just one channel, there are a lot

Love your stuff man!

Give this man a rusted old rock and he will take 30 mins to tell you its not gold.

Yeah, they are emailing you from inside their youtube account. They are sharing a video, or messaging your from the platform, that why it looks legit.

You gotta look at the bottom most "Received-by:" line in an email header. Thats the originating server - check the network record on the IP and you know where its from.

Another excellent video !!!, i love your content !!

the 7 days deadline sounds like Samara from the Ring film lmao

Hi, subtitles are not available, may them be, please? Thanks a lot

The sharing function of a private video is obvious, but how the hell did they add the description "This email has been sent..." down below? You can't add any description when sharing.

Great video John, keep the long videos coming!

I am getting mail from no reply dropbox, haven't opened it though

why google don't stop and pause all no-reply youtube gmail?

Someone please setup a bunch of scam sites but insted of asking for money let them know this is a scam and theyll ignore things like that from then on using the same methods scammers use to get customers

That's pretty cool indeed...for scammers. Why though it couldn't read first file? Packed differently?

so did anyone think to report that fake yt team channel?

I love your videos. So good. I learn so much about what I didn't know

In the upper left, under the senders email and next to the "to me" there's a down arrow that shows who the security of the email is signed by.

why are screen savers executable?

i mainly delete youtube emails because they send you who has commended on your comment. maybe if people need to use emails. and i am sure people use Microsoft windows you can use What Are Disposable Virtual Machines, like Windows Sandbox Sandbox is a temporary isolated desktop environment where users can run untrusted or even just new software to test out before running it on their actual host environment.

John that’s absolutely insane all that Data In one file Thanks For tip Bud

I love your Videos so much and I am really into this stuff. I am looking forward to be in the cyber security one day too.

John: "..into an already very long video..." Me: Jokes on you I love these long malware analysis videos 23:50

Thanks for sharing

I seriously wonder how they do this

have you analyzed the sender of this email

What about the redirecting issue. Some videos or shows are blocked unless you follow the link in the comments. When you do right away, I get a warning that says it's a malicious website! The shows i pick dont contain bad stuff either. What do viewers do?

scary that they got the dkim and dmarc to pass with the youtube domain, huge breach and they can be sued

me : getting ip info of sender

Antivirus software really needs to start checking a file if it is really that big or just a bunch of null or random bullshit appended to it.

I forget which channel, but someone else on KZbin looked at this scam and played the video. It used deepfake technology to try to give the impression it was an official announcement from Google's CEO. The deepfake parroted the same info in the description of the video, as seen in the email. Chances are that they shared the private video with another channel you own and control. For example, if you run channels A and B, each with a different email address, and you list the email address for B on your About page for channel A, then, whenever someone shares a private KZbin video with you, it will only be available if you're actively signed in to channel B. If you're still signed in on channel A, you'll get a "This video is private" error message, even if you're technically signed into channel B. Once you switch from channel A to channel B, the video will be visible to you.

I knew SPF Record wont fix anything sooner or later...

6:34 What is "ytscam" Are the blatantly saying this is a scam? 🤔

I would not tell people to check out the links from an obvious phishing scam that could be loaded somewhere with a virus.

Nohin else like watching a video about scams and getting a scam ad

This is same scam but the dumbest one so far. If you have the knowledge, you can easily turn the tables.

Amazing video, keep it up.

this video felt like it was only 3minutes long

Suppose they used the Share Option, How did they manage to write a custom email and attatch the zip? , and it couldnt be email domain spoofing cuz youtube has dmarc records for that, kindly reply if you know more about this

Holy shit. Seems to me Google has some spf flaws, or can this be spoofed otherwise?

Hey John , when these videos go into a more scammer type side , there are people for that. There is a guy named pierogi who exclusively does internet scams , Big youtuber , You should definitely collab with the guy , you all could use each other. Both good professionals together working on a resolution maybe? Aaaaaand, So , should I start flooding that email for you now , Or later? Aaaaaand This is just another side reason , why we all should not be so reliant on devices and be more diligent. Thanks for posting!

Can't you go after that Gmail and domain name and catch that person using help of Google and hosting providers

If DKIM and SPF records are correct than yes, this email came from KZbin server. I would love to see the message headers because something more might be in there.

Sooo... What are the steps concerning that control server now? When you take that down/over, all connected infections are useless right? Of course it's something for law enforcement from that point, but who and how is going to proceed killing the threat?

Every single of your videos are very interesting to learn. But, how do you find All the time to make videos, edit it and make corrections (unless you have a Team behind) besides your full time job man? Don't you get Burn out sometimes of pressure of creating constantly, posting all the time?

Potential compromise of a youtube server?

Done well 👍

Noob heee : so how'd they spoof the email domain?

I love these videos - funny when you see a hacker trying to hack a security expert :P

Wow what a genius 😂😂

21:44 there are a lot of those these days. you can find a lot of those in russian communities, these people most likely sell these files for people

Guys i got it today and had no idea. I clicked on the shared pricate video and it led me to youtube video as i was on mobile device. But i didnt see the zip file. I didnt click on any link that was in youtube video description. Should i be worried about clicking the video?

Hello John. Maybe a stupid question, but how to check if the link is real or fake. If, for example, it is fake and I click on it or copy and paste it into the browser, it is possible to pick up malware. Do I have any method or other possibility to check it? Thanks for the video and your warnings..

I use a rotating series of screenshots as my screensaver. Checkmate. (no way that could end embarrassingly)

Damn, its getting worse and worse 😂

Seems like a lot of KZbinrs have been getting this recently.

Hey just notice there seema to be a bot in the comments replying to comments with the base comment?

I can teach you about email but I'm in the process of starting my own security channel figuring out what to do that isn't already covered. I have about 25 years expeience as an independent security researcher speclizing in malware & vulnerability research. But if you are serious about it hit me up and we'll see if we can put something together. I believe I'm in your Discord too? I'll have to check because I'm in a lot of Discord channels for different niches too.

👍

"goowey" 6:27 :)

"Confirm no antivirus" is suspicious in the link

Th confident he clicks on those links 😮

You need Kaspersky to protect you, bro.

OMG IM CRYING 99:59:59