This blog post is a continuation of a previous one. We’ve recently seen a YouTube ad that presented a “unique” opportunity to invest in stocks. The attackers used a legitimate Podcast that was modified using AI. We believe that the account promoting the unlisted video was compromised https[:]//www.youtube[.]com/watch?v=rFk6gcrUuIE:
The targeted users are advised to contact the scammers using a form presented below. We could already observe mistakes that should be spotted by a native Romanian speaker:
Furthermore, some sentences contain words that are not in Romanian and should raise a red flag:
The attackers tried to add more legitimacy to the contact forms by adding diacritics to the text:
Another mistake observed was that the copyright contained a generic domain name and not the actual domain (see Figure 6).
Finally, some domains embedded clear mistakes in the code, as shown below:
We advise users to not enter credentials on suspicious websites, and to report suspicious ads on YouTube. The methods used to identify additional domains in this campaign were described in the previous article. The list of all domains identified in this campaign:
entergascons[.]pro
energasoper[.]info
naturalresourcesinf[.]pro
profuelwise[.]info
energyexpertise[.]pro
proenergyexpertise[.]info
tradetacticsinf[.]pro
capgacoaching[.]info
energogazul-vital[.]info
gazometria-inovarii[.]pro
hidrocarburile-calatoriei[.]info
maestrucomertului[.]info
educatieeconomica[.]info
investiiiexcelent[.]pro
pettrassurselor[.]pro
propetrotraseul[.]info
gasextvent[.]info
gasadvexp[.]pro
marmasters[.]pro
cominsightsonline[.]info
strategiidep[.]info
invinghidul[.]pro
proevolutiei[.]info
fwstrategies[.]pro
egasconsulting[.]info
energygasop[.]pro
ensphereanalysts[.]pro
natresnavigators[.]info
cominsightsonline[.]info
ecopetrol[.]pro
proecopetrol[.]info
capgacoaching[.]info
rradvisors[.]pro