Hi John, they used a share function in KZfaq. So they have a private video, so you can't see it, but the thing with private videos is that you can give access to someone. So they add your and other youtubers emails, so you would get this email from youtube, stating that this and this channel shared a video with you. In the email you can see description and title of the video. Once you receive that email - the scammers just remove access so you can't see it, that's why it says the video is private, but you got email from official youtube domain.

This is why whenever I receive an email saying like "Suspicious activity, you can reset your password at this link: [link]" I just close the email, go to the actual website - and change it through there rather than following the link. Can't even trust the email it's coming from now.

My first guess would be they've shared the "Private Video" with you via KZfaq, and in the message they can attach along with that video when sharing is where they've added the Google Drive URL. Causing KZfaq to send you a genuine email, from the legitimate KZfaq email address, along with the shared video, and their phishing message. Because the message contains a Google Drive link, Gmail automatically "adds them" to the email at the bottom making them look like an attachment which is why you can see the .zip file immediately. It's especially scary given that even if KZfaq terminate the account as they did with your first example, that email will still be in users inboxes, with links pointing to malicious stuff likely still up and available, meaning unless KZfaq stop this before it happens, banning the account after does nothing but stop them sending out more from that account, which likely takes seconds to create a new one.

My guess is they didn't fake the mail address, they used a share function in Google / KZfaq somewhere.

Thing I love about John's community is I learn nearly as much reading through the comments as I do in watching the video. You guys are seriously awesome about filling in the holes and adding extra incite to a video. I don't know if anyone else commends the commenters, but keep it up you guys/gals, you are doing newbs like me a real service, thank you.

Someone should make a testing distro that's full of poisoned info. Like instead of the malware stealing info, it just steals malware. Has anyone ever done something like this? Is it even feasible?

6:45 Another thing is, 5:02 the zip file that created that executable was less than 10 megabytes, but the exec itself is around 700 megabytes. Compression can reduce file size, it cannot reduce it by several orders of magnitude. Unless of course 99% of the file is just the same data repeated over and over and over again, then it can.

SPF (Sender Policy Framework) specifies what servers are allowed to send emails for a domain. DKIM (Domain Keys Identified Mail) provides usually RSA public keys via DNS - emails are then signed using their private keys. The emails you received passed these checks, meaning they are definitely sent by KZfaq's mail servers.

To send an email from the youtube domain, simply upload a video, set it to private, then use the "Share privately" feature. Notice the email subject? "Channel name sendt you a video: Video title"

Fascinating as always! I really appreciate the longer videos where you take time to dig into stuff a little bit more and show us some ways to extract information. Thanks!

This is a notification email from KZfaq when someone shares a video from YT with you (just like the google drive one for sharing a file from there). The attacker used the KZfaq email template and changed it to look like an official KZfaq email rather than a notification email. If you for example share this video with let's say David Bombal via email, he will receive an email from KZfaq with this title: John Hammond sent you a video: "The Latest KZfaq Malware Scam"

First thing I do with any email I wasn't expecting is check the header info to make sure they haven't spoofed the email address. Not sure how the hell they spoofed all that header info, maybe they used the private video backend to invite you to the video so it actually came from KZfaq?

Hey John. First time commenting on one of your videos. I love the content and keep it up.

Thank you. Informative as always...

Love your stuff man!

I don't know whether should we be worried by these attacks, or should we be entertained by these

Hey John, SCR can also just stand for "Script" file. I remember, was it black nurse? That relied heavily on this because it allowed for directly running scripts from any FQDN, not just local files, and got past TONS of heuristics scanning at the time, I think I have a malware sample for this somewhere. Because why would a file extension, on a file extension aware OS, be only one thing?

Great video John, keep the long videos coming!

I’d be laughing at the email from the get-go. So many subtle clues, and some just glaring.

The link says no antivirus 😂😂😂

the download link isn't sus at all lol: "&confirm=no_antivirus"

Used to be an email delivery analyst and this was actually pretty common to see come through the office and we'd flag it

I see myself as safe from phishing malware because I'm not a celebrity/influencer, so I'm not targeted in particular, but mainly because I don't trust any emails I wasn't expecting in advance (and that narrows it down to 2FA)

I see how this scam works as soon as I saw it the first time. It's literally the share feature, I love how everyone thinks it's this over engineered scam, whilst in reality, it's just a shared video that was generated by KZfaq. Kind of stupid that a company this large allows you to do that.

Thanks for sharing

I love your Videos so much and I am really into this stuff. I am looking forward to be in the cyber security one day too.

~700MB? Hmmm... xvid rips? Gododness, i'm so old.

I love your videos. So good. I learn so much about what I didn't know

4:00 the mail address isn't spoofed, that is why it passes on SPF and DKIM. The channel name You Tube (with the space in between) is spoofed. The email itself is therefore legitemately sent from Google's/KZfaq's mailserver.

Another excellent video !!!, i love your content !!

It's almost like they aren't even trying anymore

Fascinating that the .scr file had a digital signature, I wonder if they stole a signing key from someone

You gotta look at the bottom most "Received-by:" line in an email header. Thats the originating server - check the network record on the IP and you know where its from.

I have the feeling Internet is getting overwhelmed with scammers and nothing is done. It just goes that far that I start to get disgusted using Internet. I get scam mails through all means of communication channels. Out of 5 emails, 4 are spam, 3 are scams.

In the upper left, under the senders email and next to the "to me" there's a down arrow that shows who the security of the email is signed by.

John that’s absolutely insane all that Data In one file Thanks For tip Bud

That's pretty cool indeed...for scammers. Why though it couldn't read first file? Packed differently?

After clicking the attached .zip file, the phone begins to ring. "7 days," says the You Tube Team!

This is such an obvious trap, obvious shady stuff I wouldn't ever believe to be real. If someone falls for this...

CPG Grey just released a video saying, to "combat" the scam comment bots, he is only going to let people comment he can verify is human. Although, he is only going to verify people who pay to support his channel. So, I can't tell if he is genuinely trying to combat anything.

why google don't stop and pause all no-reply youtube gmail?

You can tell the email is fake because it asks you to do anything through the email itself. That is normally reserved for verification and other important things that happen because you were just on the site and waiting for the email. Email is not valid communication in of itself, it can only warn you to go to the main site for email to work. ...yet enough people use it as full communication that these scams work.

That is why KZfaq violated thier own terms of services too

John Hammond the guy that turns scam attempts in youtube content and I dig it

Yeah, they are emailing you from inside their youtube account. They are sharing a video, or messaging your from the platform, that why it looks legit.

Emails from KZfaq to you, will have that very odd email address that KZfaq has for you, it has dashes in it and everything. One way to thwart them is have a different email address on the "contact us" than the one that owns the channel. Then all emails go to the new email but get tagged to the other, non listed address

If KZfaq actually did change the rules, then they would make a PUBLIC video and email you with something like "Effective [date], [info]." with a link to YT's help center article about the policy or something.

Amazing video, keep it up.

i mainly delete youtube emails because they send you who has commended on your comment. maybe if people need to use emails. and i am sure people use Microsoft windows you can use What Are Disposable Virtual Machines, like Windows Sandbox Sandbox is a temporary isolated desktop environment where users can run untrusted or even just new software to test out before running it on their actual host environment.

I seriously wonder how they do this

what really blows my mind, is that somehow, someone managed to either gain access to or managed to create a passable spoof for the youtube/google domain, which is scarry and impressive, yet the email still reads like a complete scam, i don't understand how someone can be so clever, but at the same time not able to write a email that looks real, because in my expiriance, writing the email is a lot easier then getting access to, or creating a passable spoof. i know not everyones first language is English, it's not mine either, but you would think that someone that goes trough this much effort to make the domain seem real and legit, would go trough at least as much effort to make the email seem legit.

22:13 yeah, of course they have. and i’m sure there isn’t just one channel, there are a lot

the 7 days deadline sounds like Samara from the Ring film lmao

Hi, subtitles are not available, may them be, please? Thanks a lot

I knew SPF Record wont fix anything sooner or later...

have you analyzed the sender of this email

why are screen savers executable?

2:51 Nice to see that you also watch NetworkChuck and have to fight with these damn spambots XD

The sharing function of a private video is obvious, but how the hell did they add the description "This email has been sent..." down below? You can't add any description when sharing.

I am getting mail from no reply dropbox, haven't opened it though

Also that wasn't the CEO of KZfaq. That was the CEO of Google.

Done well 👍

Suppose they used the Share Option, How did they manage to write a custom email and attatch the zip? , and it couldnt be email domain spoofing cuz youtube has dmarc records for that, kindly reply if you know more about this

If DKIM and SPF records are correct than yes, this email came from KZfaq server. I would love to see the message headers because something more might be in there.

Potential compromise of a youtube server?

What about the redirecting issue. Some videos or shows are blocked unless you follow the link in the comments. When you do right away, I get a warning that says it's a malicious website! The shows i pick dont contain bad stuff either. What do viewers do?

Sooo... What are the steps concerning that control server now? When you take that down/over, all connected infections are useless right? Of course it's something for law enforcement from that point, but who and how is going to proceed killing the threat?

Hello John. Maybe a stupid question, but how to check if the link is real or fake. If, for example, it is fake and I click on it or copy and paste it into the browser, it is possible to pick up malware. Do I have any method or other possibility to check it? Thanks for the video and your warnings..

Give this man a rusted old rock and he will take 30 mins to tell you its not gold.

Guys i got it today and had no idea. I clicked on the shared pricate video and it led me to youtube video as i was on mobile device. But i didnt see the zip file. I didnt click on any link that was in youtube video description. Should i be worried about clicking the video?

Hey John , when these videos go into a more scammer type side , there are people for that. There is a guy named pierogi who exclusively does internet scams , Big youtuber , You should definitely collab with the guy , you all could use each other. Both good professionals together working on a resolution maybe? Aaaaaand, So , should I start flooding that email for you now , Or later? Aaaaaand This is just another side reason , why we all should not be so reliant on devices and be more diligent. Thanks for posting!

Every single of your videos are very interesting to learn. But, how do you find All the time to make videos, edit it and make corrections (unless you have a Team behind) besides your full time job man? Don't you get Burn out sometimes of pressure of creating constantly, posting all the time?

so did anyone think to report that fake yt team channel?

Can't you go after that Gmail and domain name and catch that person using help of Google and hosting providers

me : getting ip info of sender

Nohin else like watching a video about scams and getting a scam ad

Noob heee : so how'd they spoof the email domain?

I love these videos - funny when you see a hacker trying to hack a security expert :P

Them sending John the email is like the thugs that broke into John Wick's house in the SECOND film. Like did you not get the memo who this N was???

Th confident he clicks on those links 😮

Someone please setup a bunch of scam sites but insted of asking for money let them know this is a scam and theyll ignore things like that from then on using the same methods scammers use to get customers

I use a rotating series of screenshots as my screensaver. Checkmate. (no way that could end embarrassingly)

Antivirus software really needs to start checking a file if it is really that big or just a bunch of null or random bullshit appended to it.

Wow what a genius 😂😂

Hi from brazil

Great

this video felt like it was only 3minutes long

This is same scam but the dumbest one so far. If you have the knowledge, you can easily turn the tables.

I forget which channel, but someone else on KZfaq looked at this scam and played the video. It used deepfake technology to try to give the impression it was an official announcement from Google's CEO. The deepfake parroted the same info in the description of the video, as seen in the email. Chances are that they shared the private video with another channel you own and control. For example, if you run channels A and B, each with a different email address, and you list the email address for B on your About page for channel A, then, whenever someone shares a private KZfaq video with you, it will only be available if you're actively signed in to channel B. If you're still signed in on channel A, you'll get a "This video is private" error message, even if you're technically signed into channel B. Once you switch from channel A to channel B, the video will be visible to you.

John: "..into an already very long video..." Me: Jokes on you I love these long malware analysis videos 23:50

scary that they got the dkim and dmarc to pass with the youtube domain, huge breach and they can be sued

Holy shit. Seems to me Google has some spf flaws, or can this be spoofed otherwise?

Seems like a lot of KZfaqrs have been getting this recently.

"Confirm no antivirus" is suspicious in the link

I would not tell people to check out the links from an obvious phishing scam that could be loaded somewhere with a virus.

"goowey" 6:27 :)

You need Kaspersky to protect you, bro.

I can teach you about email but I'm in the process of starting my own security channel figuring out what to do that isn't already covered. I have about 25 years expeience as an independent security researcher speclizing in malware & vulnerability research. But if you are serious about it hit me up and we'll see if we can put something together. I believe I'm in your Discord too? I'll have to check because I'm in a lot of Discord channels for different niches too.

21:44 there are a lot of those these days. you can find a lot of those in russian communities, these people most likely sell these files for people

Damn, its getting worse and worse 😂