Popular YouTubers are akin to other celebrities in daily life. They have hordes of fans following their exploits with many of those fans wishing some of the stardom would rub off on them. Hackers are now exploiting this desire and leveraging famous YouTubers in a phishing scam. Phishing still remains a popular method of getting users to hand over vital information and often involves hackers trying to lure unsuspecting victims to the site to trick them into disclosing their login, password, credit card number, PIN, or simply to redirect traffic to generate click revenue. This is more often than not by hackers creating authentic looking emails or websites to act as the lure and trick victims, often including some form of social engineering to get the user, now a victim, to enter information without question.
In articles published by both Kaspersky Labs and RiskIQ details how the scam operates and the eventual goal. Many instances of cybercrime go unreported in the larger news networks, however, given our fascination with famous individuals this event has been covered by the BBC and the Verge. In summary, the scam involves the sending of an email to the target from what would appear to be a famous YouTuber with the email often stating that the recipient stands in line to win something, be that an iPhone X or something else of value. In order to be entered into the competition the recipient just has to follow a few simple steps involving a few mouse clicks. If this is done the recipient is now the victim.
Such schemes are relatively simple in execution. The scammer, calling them hackers may be too generous, will first set up a YouTube account and change the avatar and displayed channel name to make them identical to those of a famous YouTuber. They exploit a standard YouTube feature that allows users to display any channel name irrespective of the account name. Then the scammers will send out friend requests on masse, exploiting the fact that friend requests can be sent to anyone on the platform. By doing this the scammers to do not have to even bother with uploading content in order to make the channel appear legitimate as a request does not have many features needing to be fraudulently copied, just a name and image.
Many fans would accept a request from one of their favorite YouTubers without out questioning it. So far Marques Brownlee, Philip DeFranco, James Charles, Jeffree Star, Lewis Hilsenteger from Unbox Therapy, Bhad Bhabie, Craig Thompson, Deji (ComedyShortsGamer), and Ryland Adams have reported been impersonated.
The Main Aim of the Scam
All scams have a goal and with other cybercrimes, the goal is often to turn over a quick profit. The above scam is no different in that but it does it in a way that is not easily detected by the victim. As an added bonus to the scammer, they also manage to fraudulently hand over important personal information which could be used in identity theft. The email will always include a link which when clicked redirects to a website developed by the scammer. Here the victim will enter in their contact details and other information in the hope of winning a prize. Now the scammer has the valuable information they can use themselves or sell on Dark Web marketplaces. Interestingly these sites include reCAPTCHA tests, those “you are not a robot” panels, to further convince the victim as to the site's authenticity.
Then the victim will be asked to take a survey if the victim agrees they will be redirected to a new site, which in turn brings you to a third site, and so on and so forth. This is where cybercriminals make their money, simply by driving traffic. They rack up referral clicks to the landing pages from organizations that provide them with kickbacks. While frustrating it could easily be assumed that this will not harm the victim in any discernible way. However, security researchers will be quick to point out that this opens up the victim to drive-by downloads which may download ransomware or banking trojans that will result in further financial damage.
According to the article published in The Verge, YouTube is in the process of implementing measures to prevent impersonation from occurring. As it stands the companies policy regarding impersonation states that, “copying a user’s channel layout, using a similar username, or posing as another person in comments, emails, or videos may be considered harassment.” The company also has policies regarding scams stating that “Content that deliberately tries to mislead users for financial gain may be removed, and in some cases, strikes may be issued to the uploader.” However, it is unclear what new measures YouTube are currently implementing to prevent further impersonation and similar scams.
While YouTube is looking to remedy the situation users can take steps to increase their online security and prevent themselves from becoming a victim. Researchers suggest that users treat all friend requests and direct messages with suspicion. In this regard, it is important to verify who sent the request or message first before accepting it. Further users can also check whether the channel is marked as an official one, and at the very least, scrutinize its contents. One of the more general ways, but incredibly important, to remain safe and secure online is to never provide your sensitive information on websites you get to from links in a message received over any platform. The universal law of “if the deal sounds too good to be true, it probably is” also applies online.