Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Evening Standard
Evening Standard
Technology
Alan Martin

AI-generated videos are being used to spread malware

It’s claimed that every minute, over 500 hours of content is uploaded to YouTube, which makes policing content on the site an ever-growing challenge.

It also makes the site an appealing avenue for cybercriminals: even though you can’t get a virus by watching a video on the site, you can be fooled into clicking on attached links, opening your PC up to all kinds of nasties. The trick, from the scammer’s perspective, is to make the video convincing enough to encourage the click.

For most, it’s a numbers game. With videos quickly deleted when reported, it doesn’t make sense to invest time in a well presented scam, but AI is presenting criminals with a very appealing shortcut.

Since November 2022, the cyber intelligence firm CloudSEK has tracked a 200-300% increase in videos with malware-packed links in the description. A good portion of the videos feature presenters that appear human-like at a glance, generated from AI persona building tools such as Synthesia and D-ID. These tools generally serve a legitimate purpose: creating videos with AI avatars and a text-to-speech engine to make training, recruitment and promotional clips appear more engaging without the effort of filming an actual human.

With just a few minutes of searching, the Standard was able to find plenty of examples of these avatars being used in the way described by CloudSEK: realistic human faces promising pirate software, including Photoshop, Audodesk, AutoCAD and recent triple-A games free of charge. The avatars smile, blink and even occasionally swallow making them — at a glance — appear extremely convincing.

The quality varied, with some wasting the convincingness of the visuals with a clearly robotic voice, but one or two sounded far more authentic, with speech patterns realistic enough to match the lifelike facial features.

The main giveaway — other than the ‘free lunch’ nature of the videos — was that the script appeared identical between the majority of videos examined by the Standard. “Hello dear friends, in this video I will tell you how to download paid software absolutely free of charge without viruses, torrents and registrations,” the majority of videos began.

“Now let’s get started,” the avatar continued, mimicking one of the most common YouTube refrains, before instructing viewers to click the link in the description and abruptly stopping with a short, sharp sign off: “that’s all I have, thanks for watching, I wish you a nice day.” It’s all over in under 25 seconds, with the remainder of the footage presenting the words “link in the description” for another few minutes.

The most convincing example we found used a different script and eschewed the robotic text-to-speech engine for a more realistic sounding human voice. It does indeed appear human, as the screenshot below demonstrates.

A screenshot of an AI-generated scam video. (Screenshot by Alan Martin, via YouTube)

But otherwise, the method was the same: in the description, a file hosted by MediaFire with a password attached, as described by CloudSEK.

This, and other examples we found, were uploaded to legitimate accounts with hundreds of thousands of followers. These accounts were typically dormant, having not posted for months or even years, and it’s likely their passwords had leaked in a breach elsewhere, allowing scammers to take advantage of a large existing subscriber base.

To add legitimacy to something that most critical thinkers would see as thoroughly fishy, many videos are quickly packed with comments vouching for the download. Though, like the repeat script and robotic voice, these aren’t necessarily the most convincing:

An example of an AI-generated scam video’s comment section. (YouTube / CloudSEK)

For now, the threat appears to lack sophistication, with short, generic scripts failing to match the specific promises of each video title. But, like similar AI-bases scams on LinkedIn, it’s not hard to see how this technique could get far more convincing with slightly more care and attention.

While there are telltale signs to spot AI avatars and deepfakes (awkward posture, lighting mismatches, unnatural facial movements and iffy lipsyncing), things are only going to become more sophisticated over time as the technology improves and creation software becomes more accessible. With that in mind, the best advice is as old as time: there’s no such thing as a free lunch.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.