One persistent Phish
Fortunately, there are several steps involved in this attack. Hopefully this will give unsuspecting users more of a chance to recognise they are being targeted. Flow of the phishing chain (NB the credential harvesting page is replace with the YouTube video):
The interesting part of this attack to me, is that it leveraged one of MySpace's domains to redirect users to the next stage. However, if you try to visit one of the links - without clicking on the button in the URL - it will redirect you to the same YouTube video.
Example YouTube comment from these videos:
Interestingly, I also used URLscan.io here for to check for pages that also redirect to this odd YouTube video. Looking at how often it has been submitted this appears to be an active, ongoing campaign.
Using OSINT techniques such as checking WHOIS data of the malicious domains, we can also learn more about who is behind these attacks. From this, we learn both of the domains were registered through an Indonesian Registrar and hosted with ASNs that are notorious for allowing malicious content and slow for takedowns.